Strongswan VPN successfull, but cannot ping anything

Sun, 20 Apr 2025 06:51:06 -0700 

Hello, my name is Na Hongyeon and I live in Korea.
When I connect using MSCHAP-V2 for EAP authentication with StrongSwan, it says that it was successful, but when I ping test it, there is no actual connection. 
Below is the output from the command "ipsec up Leo-CoreaVPN-C".
I was wondering if the firewall was a problem, but I never set it up after installing OpenBSD, and I tried to stop the pf daemon just in case, but it was the same. 


FYI, when I used FreeBSD, it went well. But I like OpenBSD, so I want to 
keep using it, so could you help me with how?



I think the strongwan version is a bit old on the current port, can I 
solve it if I do the latest version?


====================================================================================

"uname -a"

OpenBSD susemi-ThinkPad.my.domain 7.6 GENERIC.MP#1 amd64


Below is the output from the command "ipsec up Leo-CoreaVPN-C".

====================================================================================


initiating IKE_SA Leo-CoreaVPN-C[1] to 183.96.249.15 generating 
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) 
N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.1.86[500] to 
183.96.249.15[500] (884 bytes) received packet: from 183.96.249.15[500] 
to 192.168.1.86[500] (38 bytes) parsed IKE_SA_INIT response 0 [ 
N(INVAL_KE) ] peer didn't accept DH group ECP_256, it requested 
MODP_3072 initiating IKE_SA Leo-CoreaVPN-C[1] to 183.96.249.15 
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 
192.168.1.86[500] to 183.96.249.15[500] (1204 bytes) received packet: 
from 183.96.249.15[500] to 192.168.1.86[500] (592 bytes) parsed 
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) 
N(HASH_ALG) N(MULT_AUTH) ] selected proposal: 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 local host 
is behind NAT, sending keep alives remote host is behind NAT sending 
cert request for "C=KR, O=LinuxLab, CN=CoreaVPN Root CA" establishing 
CHILD_SA Leo-CoreaVPN-C{1} generating IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) 
N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 
sending packet: from 192.168.1.86[4500] to 183.96.249.15[4500] (432 
bytes) received packet: from 183.96.249.15[4500] to 192.168.1.86[4500] 
(1236 bytes) parsed IKE_AUTH response 1 [ EF(1/2) ] received fragment #1 
of 2, waiting for complete IKE message received packet: from 
183.96.249.15[4500] to 192.168.1.86[4500] (852 bytes) parsed IKE_AUTH 
response 1 [ EF(2/2) ] received fragment #2 of 2, reassembled fragmented 
IKE message (2016 bytes) parsed IKE_AUTH response 1 [ IDr CERT AUTH 
EAP/REQ/ID ] received end entity cert "C=KR, O=LinuxLab, 
CN=leo.coreavpn.net" using certificate "C=KR, O=LinuxLab, 
CN=leo.coreavpn.net" using trusted ca certificate "C=KR, O=LinuxLab, 
CN=CoreaVPN Root CA" checking certificate status of "C=KR, O=LinuxLab, 
CN=leo.coreavpn.net" certificate status is not available reached 
self-signed root ca with a path length of 0 authentication of 
'leo.coreavpn.net' with RSA_EMSA_PKCS1_SHA2_384 successful server 
requested EAP_IDENTITY (id 0x00), sending 'susemi' generating IKE_AUTH 
request 2 [ EAP/RES/ID ] sending packet: from 192.168.1.86[4500] to 
183.96.249.15[4500] (80 bytes) received packet: from 183.96.249.15[4500] 
to 192.168.1.86[4500] (112 bytes) parsed IKE_AUTH response 2 [ 
EAP/REQ/MSCHAPV2 ] server requested EAP_MSCHAPV2 authentication (id 
0x7F) generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] sending packet: 
from 192.168.1.86[4500] to 183.96.249.15[4500] (144 bytes) received 
packet: from 183.96.249.15[4500] to 192.168.1.86[4500] (144 bytes) 
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] EAP-MS-CHAPv2 succeeded: 
'Welcome2strongSwan' generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] 
sending packet: from 192.168.1.86[4500] to 183.96.249.15[4500] (80 
bytes) received packet: from 183.96.249.15[4500] to 192.168.1.86[4500] 
(80 bytes) parsed IKE_AUTH response 4 [ EAP/SUCC ] EAP method 
EAP_MSCHAPV2 succeeded, MSK established authentication of 'susemi' 
(myself) with EAP generating IKE_AUTH request 5 [ AUTH ] sending packet: 
from 192.168.1.86[4500] to 183.96.249.15[4500] (112 bytes) received 
packet: from 183.96.249.15[4500] to 192.168.1.86[4500] (336 bytes) 
parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] authentication 
of 'leo.coreavpn.net' with EAP successful IKE_SA Leo-CoreaVPN-C[1] 
established between 
192.168.1.86[susemi]...183.96.249.15[leo.coreavpn.net] scheduling 
reauthentication in 10217s maximum IKE_SA lifetime 10757s installing DNS 
server 168.126.63.1 to /etc/strongswan/resolv.conf installing DNS server 
203.248.252.2 to /etc/strongswan/resolv.conf installing new virtual IP 
172.16.216.86 created TUN device: tun1 selected proposal: 
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ CHILD_SA Leo-CoreaVPN-C{1} 
established with SPIs d79d013c_i c1ffe240_o and TS 172.16.216.86/32 === 
0.0.0.0/0 connection 'Leo-CoreaVPN-C' established successfully
























					Reply via email to