Hi guys.
I have tplink 3600 router hostname a81m4 powered by openwrt 19.07.01
router IPs:
br-lan - 192.168.173.1/28
br-voice - 192.168.173.33/29
eth.0 (WAN) - 192.204.x.x/32
it's connected via l2l vpn using strongswan to remote subnet 192.168.172.0/28 tunnel works:
root@a81m4:/home/sam# ipsec status
Security Associations (1 up, 0 connecting):
gate.st1[1]: ESTABLISHED 2 hours ago, 192.204.x.x[192.204.x.x]...107.y.y.y[107.y.y.y]
net-192.168.173-32{5}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c4d4dd34_i 5d5e392f_o
net-192.168.173-32{5}: 192.168.173.32/29 === 192.168.172.0/28
gate.st1{6}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: c4eba6b5_i 6e3ea942_o
gate.st1{6}: 192.168.173.0/28 === 192.168.172.0/28
root@a81m4:/home/sam#
there is two linux computers in remote subnet 192.168.172.2 and 192.168.172.4
I can ping both 192.168.172.2 and 192.168.172.4 from router 192.168.173.1 (and computers behing this) ok.
root@a81m4:/home/sam# ping -c 1 192.168.172.2
PING 192.168.172.2 (192.168.172.2): 56 data bytes
64 bytes from 192.168.172.2: seq=0 ttl=63 time=21.183 ms
--- 192.168.172.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 21.183/21.183/21.183 ms
root@a81m4:/home/sam# ping -c 1 192.168.172.4
PING 192.168.172.4 (192.168.172.4): 56 data bytes
64 bytes from 192.168.172.4: seq=0 ttl=63 time=18.069 ms
--- 192.168.172.4 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 18.069/18.069/18.069 ms
root@a81m4:/home/sam#
moreover I can open ssh to 192.168.172.4 from 192.168.173.1 (for some reason source ip being show as 192.168.173.33)
root@a81m4:/home/sam# ssh sam@192.168.172.4
sam@192.168.172.4's password:
Linux 2.6.35.4.
sam@sw122:~$
so tunnel works correctly
I can open ssh from 192.168.172.4 to 192.168.172.2 (of course they in same subnet)
sam@sw122:~$ ssh sam@192.168.172.2
sam@192.168.172.2's password:
Last login: Wed Feb 12 11:49:32 2020 from 192.168.172.4
Linux 4.19.34.
Sometimes a cigar is just a cigar.
-- Sigmund Freud
In the beginning there was nothing. And the Lord said "Let There Be Light!"
And still there was nothing, but at least now you could see it.
sam@st10:~$
but I CAN NOT open ssh from 192.168.173.1(.33 and computers behind a81m4 router) to 192.168.172.2
root@a81m4:/home/sam# ssh sam@192.168.172.2
ssh: Connection to sam@192.168.172.2:22 exited: Connect failed: Operation timed out
root@a81m4:/home/sam#
ssh permitted from 192.168.173.1(33) to 192.168.172.2:
[root@st10 sam]# iptables -vnL | grep .168.173
0 0 ACCEPT tcp -- bond0 * 192.168.173.1 0.0.0.0/0 state NEW tcp dpt:179
0 0 ACCEPT tcp -- bond0 * 192.168.173.1 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- bond0 * 192.168.173.33 0.0.0.0/0 state NEW tcp dpt:22
[root@st10 sam]#
but there is no hit counts. VPN tunnel is wide open between subnets 192.168.173 to 192.168.172 (I did not setup VPN inline filtering yet).
during I was trying to open ssh to 192.168.172.2 tcpdump @ 192.168.173.1(32) shows following:
192.168.173.33.36336 > 192.168.172.2.22: Flags [S], cksum 0x593c (correct), seq 846566414, win 29200, options [mss 1320,sackOK,TS val 1238172790 ecr 0,nop,wscale 4], length 0
192.168.172.2.22 > 192.168.173.33.36336: Flags [S.], cksum 0xda9b (incorrect -> 0xfaba), seq 2124895372, ack 846566415, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
could you guys help me with this incorrect checksumm issue?
I could assume it's because different MSS but why ssh from 192.168.173.1 to 192.168.172.4 works within same VPN tunnel but .2 is not.....
Thank you.