Strongswan and USG40 setup

Hi Guys,

I have setup an IPsec tunnel (with VTI interfaces) between a USG40 and a linux box (using strongswan). Both phases of the tunnel complete successfully and the tunnel is fully UP. Below is a schematic of the setup:



So the problem is that when I ping the USG40's VTI interface from the remote server, the USG receives it and replies to it, but it never gets back to the server. I did a packet capture on the USG's VTI int, and below is the output:

20:00:38.855199 IP (tos 0x0, ttl 64, id 19789, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.51.1 > 10.0.51.2: ICMP echo request, id 15142, seq 42, length 64
20:00:38.855708 IP (tos 0x0, ttl 64, id 51490, offset 0, flags [none], proto ICMP (1), length 84)
    10.0.51.2 > 10.0.51.1: ICMP echo reply, id 15142, seq 42, length 64

The RX and TX for the USG int is incrementing with each ping, and a nestat -i on the server VTI int shows TX hits but no RX hits.

I've made ALL secure-policy rules permissive, so default is allow all traffic to ensure that no rule is blocking traffic. The logs confirm that traffic is being "forwarded" (ACCESS FORWARD).

Here the strongswan config for anyone interested:

conn swiss1
        type=tunnel
        ike=3des-md5-modp2048
        esp=3des-md5
        keyexchange=ikev2
        authby=secret
        forceencaps=yes
        mark=100
        leftupdown="/usr/local/sbin/ipsec-int-updown.sh --sourceip 10.0.51.1/24 --mtu 1370"
        leftsourceip=10.0.51.1/24
        left=95.183.x.x
        leftsubnet=0.0.0.0/0
        right=%
        rightsubnet=10.0.50.0/24,10.0.51.0/24
        auto=start

Please advise.

Comments

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 698  mod
    Hi @popa,
    A quick question, is Linux server running as NAT router(with two NIC)to establish site to site VPN ? or it just simple host to connect USG to access USG subnet?
    Client to site(host to subnet) or Site to site(subnet to subnet)?
  • popapopa Member Posts: 2
    Thanks for the response.
    Managed to sort it out. Turned out the ISP was dropping the ESP packets. Using a different provider fixed the issue.
Sign In to comment.