Hi Guys,
I am configuring a ikev2 IPSec tunnel (w/ VTI), and have attached a schema to help you guys understand the setup.
The remote server is running strongswan. Both IPsec phases pass successfully, and the VTI interface is created ad UP on both ends.
However, I had an issue whereby tunnel traffic on the USG ends up getting lost somewhere.
When I ping the USG's VTI from the server, the USG gets the response, replies to it but it never reaches the server (confirmed via a packet capture on the USG).
There are Tx hits but no Rx hits for the sever VTI, however the USG VTI has both Rx and Tx hits.
The FW is behind a nat, and I am doing NAT-T. I am running the latest firmware. Below is my strongswan config:
conn swiss1
type=tunnel
ike=3des-md5-modp2048
esp=3des-md5
keyexchange=ikev2
authby=secret
forceencaps=yes
mark=100
leftupdown="/usr/local/sbin/ipsec-int-updown.sh --sourceip 10.0.51.1/24 --mtu 1370"
leftsourceip=10.0.51.1/24
left=95.183.52.144
leftsubnet=0.0.0.0/0
right=%
rightsubnet=10.0.48.0/22
auto=start
Just really puzzled with this one. I should be-able to ping each VTI endpoint at the very least, but the usg is losing the traffic somewhere.
Any advice ?
↧