On Mon, May 04, 2020 at 04:03:13PM +0100, Michael Tremer wrote: > Hi Stephan, > > What is the output of “ipsec statusall” on both systems? > > Best, > -Michael > > > On 30 Apr 2020, at 22:28, Stephan Mending wrote: > > > > Hello, > > > > I have a situation. ;) > > > > It looks like the following: > > > > > > (SRV-01) ----------- (IPFIRE) -------orange------- (SRV-02) > > > > public-IP 192.168.0.100 > > > > > > SRV-01 is hooked up to the ipfire via a roadwarrior IPsec connection. Establishment of the tunnel works as one would expect it. > > > > ping from SRV-02 to SRV-01 works fine and passes through the tunnel. So far, so good. > > > > ping from SRV-01 to SRV-02 does not. > > > > > > Iptables is blocking ? No, I did check that. Nothing. > > > > IPS ? No, neither. > > > > > > So what's the matter ? When watching the interface using tcpdump I can see ESP packets and afterwards its unencrypted icmp echo request content (both on ppp0). That is the end. > > > > And the packet has never been seen any after. > > > > Anyone an idea? > > > > > > (Yes the SRV-02 accepts incoming icmp type 8 and outgoing type 0) > > > > > > Best regards, > > > > Stephan > > > > > Hi Micheal, thanks for your reply. I have done some changes to the setup. Just out of logical issues it had. So the Situation changed but a Problem persists. Maybe this "Problem" is intentionally that way. I'll explain. One has to know: The machine (SRV-01) in the datacenter is running OpenBSD using iked(8) to connect to the strongswan ipsec daemon. That works for far pretty fine. DPD and rekeying is not a problem either. But there seem to exist an issue on IPFire's site. Because from SRV-01 I cannot reach SRV-02 via icmp or tcp ... So to make sure that this isn't an issue with the packet filter or routing table on SRV-01 I checked via tcpdump that the packets I am sending to SRV-02 really reach the firewall. They do. Though as soon as I have pinged or reached out once to SRV-01 from SRV-02. It works the other way around as well. That's one thing. There are way to work around it. (-> They're ugly but they exist) *** Next issue I was granted to be witness. After a few hours of the connection being established (And being restablished due to rekeying etc) the strongswan just stops answering. Log on SRV-01 says: Retransmit 1 IKE_SA_INIT ... And it keeps trying to retransmit 'til eternity (and is unsuccesful at it). So again. I check if those retransmits reach the ipfire box. And yes they do. I can see the packets raining in on the ppp0 interface. To resolve this issue I have to restart the connection from the ipfire webui (by clicking the restart button). Options for the connection on ipfire are: DPD -> clear and Connection type: Wait for initiation. I really hope you can help me here. I'd really appreciate it alot. Thanks ! Best regards, Stephan