I'm on a ArchLinux-System trying to connect to my company VPN, which is served by a Juniper SRX100H.
I'm trying to connect with Strongswan (5.5.3-3), and it seems to be successful:
Starting strongSwan 5.5.3 IPsec [starter]...
generating QUICK_MODE request 2638887156 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.204[4500] to 10.0.0.1[4500] (396 bytes)
received packet: from 10.0.0.1[4500] to 192.168.1.204[4500] (364 bytes)
parsed QUICK_MODE response 2638887156 [ HASH SA No KE ID ID ]
CHILD_SA test{2} established with SPIs cad5681f_i 4015b7bd_o and TS 192.168.1.204/32 === 192.168.32.0/24
connection 'test' established successfully
The problem is, that after that i can't ping anything but 10.0.0.1, which returns a response. But i can't reach any of the peers inside 192.168.32.0/24.
My ipsec.conf looks like:
conn test
left=%any
leftid=test@SRX100-local.de
leftauth=psk
leftauth2=xauth
rightsubnet=192.168.32.0/24
rightid=10.0.0.1
rightauth=psk
auto=start
xauth_identity=USER
esp=aes256-sha1-modp1536
ike=aes256-sha2_256-modp1536
aggressive=yes
type=tunnel
The output of ip route show is:
default via 192.168.1.1 dev wlp3s0 proto static metric 600
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.204 metric 600
Other Clients (Windows) can connect with NCP Secure Client, so i guess it's not a firewall issue on the Juniper-side.
Any help would be appreciated 🙂
Update
Output of iptables-save
# Generated by iptables-save v1.6.1 on Tue Aug 8 11:24:43 2017
*filter
:INPUT ACCEPT [5:2010]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:999]
-A INPUT -s 192.168.32.0/24 -d 192.168.1.204/32 -i wlp3s0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s 192.168.1.204/32 -d 192.168.32.0/24 -o wlp3s0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Tue Aug 8 11:24:43 2017
The charon_debug.log is here: https://pastebin.com/jYiqpLip
Best Answer
As helped by @ecdsa via IRC:
The missing properties were
leftsourceip=%configandmodeconfig=push, because the Juniper is pushing the required settings to the client.