Score:0

IPSec established but cannot ping remote LAN

fr flag

I have successfully established IPSec in my OpenWrt router but I am unable to ping the remote subnet. Below are the related files

cat ipsec.conf

conn vpn3
  keyexchange=ikev2
  left=10.129.170.132
  right=103.44.119.90
  leftsubnet=192.168.18.0/24
  rightsubnet=192.168.100.0/24
  leftauth=psk
  rightauth=psk
  authby=secret
  auto=start
  dpdaction=restart
  dpddelay=30s
  dpdtimeout=150s
  keyingtries=%forever
  mobike=yes
  ike=aes128-sha1-modp1024!
  esp=aes128-sha1-modp1024!
  ikelifetime=28800s
  lifetime=28800s
  type=tunnel
  forceencaps=yes

ipsec statusall

Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.241, mips):
  uptime: 5 minutes, since Apr 08 13:10:22 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 pubkey gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
  192.168.18.1
  20.0.0.115
  10.129.170.132
Connections:
        vpn3:  10.129.170.132...103.44.119.90  IKEv2, dpddelay=30s
        vpn3:   local:  [10.129.170.132] uses pre-shared key authentication
        vpn3:   remote: [103.44.119.90] uses pre-shared key authentication
        vpn3:   child:  192.168.18.0/24 === 192.168.100.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
        vpn3[1]: ESTABLISHED 5 minutes ago, 10.129.170.132[10.129.170.132]...103.44.119.90[103.44.119.90]
        vpn3[1]: IKEv2 SPIs: e0ed3277e33b4d3a_i* 8f061450adb08c76_r, pre-shared key reauthentication in 7 hours
        vpn3[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        vpn3{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c300f0e5_i c148ff6a_o
        vpn3{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 22764 bytes_o (271 pkts, 62s ago), rekeying in 7 hours
        vpn3{1}:   192.168.18.0/24 === 192.168.100.0/24

ip route list table 220

192.168.100.0/24 via 10.64.64.64 dev 3g-sim proto static src 192.168.18.1

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         20.0.0.2        0.0.0.0         UG    1      0        0 eth0.2
0.0.0.0         10.64.64.64     0.0.0.0         UG    2      0        0 3g-sim
10.64.64.64     0.0.0.0         255.255.255.255 UH    0      0        0 3g-sim
20.0.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0.2
192.168.18.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan

cat /etc/config/firewall

config defaults
        option output 'ACCEPT'
        option synflood_protect '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'
        list network 'sim'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'

config rule 'ipsec_nat'
        option target 'ACCEPT'
        option name 'IPsec NAT-T'
        option src 'wan'
        option proto 'udp'
        option dest_port '4500'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

IPtable rule

iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

One thing I have observed is that whenever I am hitting the ifdown wan command I am getting the ping reply. I think my traffic is going through default route not by IPSec. Please help.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.