I have created a SITE-TO-SITE IPSEC tunnel between my two branches, the tunnel is up and running and I can ping bidirectional both routers, the problem is that I can't do any type of communications (like ping) from / to the hosts.
Let me explain my scenario
SITE A - Strongswan config:
root@esxi:~# cat /etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection to siteB datacenter
conn siteA-to-siteB
authby=secret
left=%defaultroute
leftid=51.91.48.XX
leftsubnet=192.168.58.0/24
right=51.77.246.XX
rightsubnet=192.168.60.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
leftfirewall=yes
SITE A - ipsec statusall:
root@esxi:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.10, Linux 4.15.18-18-pve, x86_64):
uptime: 28 minutes, since Jun 17 14:51:55 2024
malloc: sbrk 3108864, mmap 0, used 975056, free 2133808
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led duplicheck addrblock unity counters
Listening IP addresses:
51.91.48.XX
10.0.0.1
192.168.58.1
Connections:
siteA-to-siteB: %any...51.77.246.XX IKEv1/2, dpddelay=30s
siteA-to-siteB: local: [51.91.48.XX] uses pre-shared key authentication
siteA-to-siteB: remote: [51.77.246.XX] uses pre-shared key authentication
siteA-to-siteB: child: 192.168.58.0/24 === 192.168.60.0/24 TUNNEL, dpdaction=start
Security Associations (1 up, 0 connecting):
siteA-to-siteB[10]: ESTABLISHED 24 minutes ago, 51.91.48.XX[51.91.48.XX]...51.77.246.XX[51.77.246.XX]
siteA-to-siteB[10]: IKEv2 SPIs: b50d4c5cf4d2eda4_i ff26607335a4e302_r*, pre-shared key reauthentication in 22 minutes
siteA-to-siteB[10]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
siteA-to-siteB{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c88bd63c_i c895872a_o
siteA-to-siteB{4}: AES_CBC_256/HMAC_SHA2_256_128, 62748 bytes_i (747 pkts, 718s ago), 62748 bytes_o (747 pkts, 718s ago), rekeying in 7 hours
siteA-to-siteB{4}: 192.168.58.0/24 === 192.168.60.0/24
SITE A - iptables-save:
root@esxi:~# iptables-save
# Generated by iptables-save v1.6.0 on Mon Jun 17 15:22:00 2024
*mangle
:PREROUTING ACCEPT [3526842015:5243135264619]
:INPUT ACCEPT [8497927:1230923546]
:FORWARD ACCEPT [3515524990:5241678882328]
:OUTPUT ACCEPT [8084473:1417568853]
:POSTROUTING ACCEPT [3519557170:5242641211859]
COMMIT
# Completed on Mon Jun 17 15:22:00 2024
# Generated by iptables-save v1.6.0 on Mon Jun 17 15:22:00 2024
*nat
:PREROUTING ACCEPT [17332:1076769]
:INPUT ACCEPT [679:26994]
:OUTPUT ACCEPT [5:532]
:POSTROUTING ACCEPT [1463:89147]
-A PREROUTING -i vmbr0 -p udp -m udp --dport 50 -j ACCEPT
-A PREROUTING -i vmbr0 -p udp -m udp --dport 500 -j ACCEPT
-A PREROUTING -i vmbr0 -p udp -m udp --dport 4500 -j ACCEPT
-A PREROUTING -i vmbr0 -p udp -m udp --dport 1701 -j ACCEPT
-A PREROUTING -i vmbr0 -p esp -j ACCEPT
-A PREROUTING -i vmbr0 -p ah -j ACCEPT
-A PREROUTING -i vmbr0 -p tcp -m multiport ! --dports 22,8006 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i vmbr0 -p udp -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i vmbr0 -p tcp -m multiport ! --dports 22,8006 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i vmbr0 -p udp -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -s 10.0.0.0/30 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/30 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Mon Jun 17 15:22:00 2024
# Generated by iptables-save v1.6.0 on Mon Jun 17 15:22:00 2024
*filter
:INPUT DROP [192:18886]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:68]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 50 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i vmbr20 -p ah -m comment --comment ArticaStrongswanVPN -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -m comment --comment ArticaStrongswanVPN -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -d 8.8.8.8/32 -p udp -j ACCEPT
-A FORWARD -d 8.8.8.8/32 -p udp -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -i vmbr0 -o vmbr1 -p tcp -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -i vmbr0 -o vmbr1 -p udp -j ACCEPT
-A FORWARD -s 10.0.0.0/30 -i vmbr1 -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -i vmbr0 -o vmbr1 -p tcp -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -i vmbr0 -o vmbr1 -p udp -j ACCEPT
-A FORWARD -s 10.0.0.0/30 -i vmbr1 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 50 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1701 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -s 10.0.0.2/32 -d 51.91.48.XX/32 -o vmbr0 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --sport 8006 -j ACCEPT
-A OUTPUT -s 10.0.0.1/32 -o vmbr1 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 10.0.0.1/32 -o vmbr1 -p tcp -m tcp --sport 8006 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 51.91.48.XX/32 -o vmbr0 -p tcp -m tcp --sport 8006 -j ACCEPT
-A OUTPUT -s 10.0.0.1/32 -o vmbr1 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 10.0.0.1/32 -o vmbr1 -p tcp -m tcp --sport 8006 -j ACCEPT
-A TCP -d 51.91.48.XX/32 -i vmbr0 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -d 51.91.48.XX/32 -i vmbr0 -p tcp -m tcp --dport 8006 -j ACCEPT
-A TCP -d 10.0.0.1/32 -i vmbr1 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -d 10.0.0.1/32 -i vmbr1 -p tcp -m tcp --dport 8006 -j ACCEPT
-A TCP -d 10.0.0.1/32 -i vmbr1 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -d 10.0.0.1/32 -i vmbr1 -p tcp -m tcp --dport 8006 -j ACCEPT
COMMIT
# Completed on Mon Jun 17 15:22:00 2024
SITE A - ip route list table 220:
root@esxi:~# ip route list table 220
192.168.60.0/24 via 51.91.48.XX dev vmbr0 proto static src 192.168.58.1
SITE A - Ping from Router to site SITE B Router:
root@esxi:~# ping 192.168.60.1
PING 192.168.60.1 (192.168.60.1) 56(84) bytes of data.
64 bytes from 192.168.60.1: icmp_seq=1 ttl=64 time=1.80 ms
64 bytes from 192.168.60.1: icmp_seq=2 ttl=64 time=1.84 ms
SITE A - Ping from Router to site SITE B Host:
root@esxi:~# ping 192.168.60.254
PING 192.168.60.254 (192.168.60.254) 56(84) bytes of data.
64 bytes from 192.168.60.254: icmp_seq=1 ttl=63 time=2.03 ms
64 bytes from 192.168.60.254: icmp_seq=2 ttl=63 time=2.03 ms
64 bytes from 192.168.60.254: icmp_seq=3 ttl=63 time=2.09 ms
SITE A - Ping from Host to site SITE B Router (NOT WORK):
root@esxi:~# ping 192.168.60.1
PING 192.168.60.1 (192.168.60.1) 56(84) bytes of data.
SITE A - Ping from Host to site SITE B Host(NOT WORK):
root@esxi:~# ping 192.168.60.254
PING 192.168.60.254 (192.168.60.254 ) 56(84) bytes of data.
SITE B - Strongswan config:
root@ns3141268:~# cat /etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection to siteB datacenter
conn siteA-to-siteB
authby=secret
left=%defaultroute
leftid=51.77.246.XX
leftsubnet=192.168.60.0/24
right=51.91.48.XX
rightsubnet=192.168.58.0/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
leftfirewall=yes
SITE B - ipsec statusall:
root@ns3141268:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.14, Linux 5.4.128-1-pve, x86_64):
uptime: 39 minutes, since Jun 17 14:49:48 2024
malloc: sbrk 3141632, mmap 0, used 1169600, free 1972032
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led duplicheck addrblock unity counters
Listening IP addresses:
51.77.246.XX
10.0.0.1
192.168.60.1
Connections:
siteA-to-siteB: %any...51.91.48.XX IKEv1/2, dpddelay=30s
siteA-to-siteB: local: [51.77.246.XX] uses pre-shared key authentication
siteA-to-siteB: remote: [51.91.48.XX] uses pre-shared key authentication
siteA-to-siteB: child: 192.168.60.0/24 === 192.168.58.0/24 TUNNEL, dpdaction=start
Security Associations (1 up, 0 connecting):
siteA-to-siteB[4]: ESTABLISHED 36 minutes ago, 51.77.246.XX[51.77.246.XX]...51.91.48.XX[51.91.48.XX]
siteA-to-siteB[4]: IKEv2 SPIs: b50d4c5cf4d2eda4_i* ff26607335a4e302_r, pre-shared key reauthentication in 14 minutes
siteA-to-siteB[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
siteA-to-siteB{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c895872a_i c88bd63c_o
siteA-to-siteB{3}: AES_CBC_256/HMAC_SHA2_256_128, 63420 bytes_i (755 pkts, 244s ago), 63420 bytes_o (755 pkts, 244s ago), rekeying in 7 hours
siteA-to-siteB{3}: 192.168.60.0/24 === 192.168.58.0/24
SITE B - iptables-save:
root@ns3141268:~# iptables-save
# Generated by iptables-save v1.8.2 on Mon Jun 17 15:30:48 2024
*mangle
:PREROUTING ACCEPT [801039226:571904713622]
:INPUT ACCEPT [5900102:843948109]
:FORWARD ACCEPT [724318127:567209958529]
:OUTPUT ACCEPT [5571837:852600977]
:POSTROUTING ACCEPT [726071655:567771378583]
COMMIT
# Completed on Mon Jun 17 15:30:48 2024
# Generated by iptables-save v1.8.2 on Mon Jun 17 15:30:48 2024
*nat
:PREROUTING ACCEPT [71190:4120186]
:INPUT ACCEPT [565:23428]
:OUTPUT ACCEPT [306:23214]
:POSTROUTING ACCEPT [639:35976]
-A PREROUTING -i vmbr0 -p udp -m udp --dport 50 -j ACCEPT
-A PREROUTING -i vmbr0 -p udp -m udp --dport 500 -j ACCEPT
-A PREROUTING -i vmbr0 -p udp -m udp --dport 4500 -j ACCEPT
-A PREROUTING -i vmbr0 -p udp -m udp --dport 1701 -j ACCEPT
-A PREROUTING -i vmbr0 -p esp -j ACCEPT
-A PREROUTING -i vmbr0 -p ah -j ACCEPT
-A PREROUTING -p udp -m udp --dport 50 -j ACCEPT
-A PREROUTING -i vmbr0 -p tcp -m multiport ! --dports 22,8006 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i vmbr0 -p udp -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -s 10.0.0.0/30 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Mon Jun 17 15:30:48 2024
# Generated by iptables-save v1.8.2 on Mon Jun 17 15:30:48 2024
*raw
:PREROUTING ACCEPT [801041124:571905068039]
:OUTPUT ACCEPT [5573811:853003835]
COMMIT
# Completed on Mon Jun 17 15:30:48 2024
# Generated by iptables-save v1.8.2 on Mon Jun 17 15:30:48 2024
*filter
:INPUT DROP [437:33822]
:FORWARD DROP [4200:279708]
:OUTPUT DROP [42:3192]
:TCP - [0:0]
:UDP - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 50 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 192.168.60.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.60.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -i vmbr0 -o vmbr1 -p tcp -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -i vmbr0 -o vmbr1 -p udp -j ACCEPT
-A FORWARD -s 10.0.0.0/30 -i vmbr1 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 50 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1701 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -s 10.0.0.2/32 -d 51.77.246.XX/32 -o vmbr0 -j ACCEPT
-A OUTPUT -s 51.77.246.XX/32 -o vmbr0 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -s 51.77.246.XX/32 -o vmbr0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 51.77.246.XX/32 -o vmbr0 -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -s 51.77.246.XX/32 -o vmbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s 51.77.246.XX/32 -o vmbr0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s 51.77.246.XX/32 -o vmbr0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 51.77.246.XX/32 -o vmbr0 -p tcp -m tcp --sport 8006 -j ACCEPT
-A OUTPUT -s 10.0.0.1/32 -o vmbr1 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 10.0.0.1/32 -o vmbr1 -p tcp -m tcp --sport 8006 -j ACCEPT
-A TCP -d 51.77.246.XX/32 -i vmbr0 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -d 51.77.246.XX/32 -i vmbr0 -p tcp -m tcp --dport 8006 -j ACCEPT
-A TCP -d 10.0.0.1/32 -i vmbr1 -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -d 10.0.0.1/32 -i vmbr1 -p tcp -m tcp --dport 8006 -j ACCEPT
-A f2b-sshd -j RETURN
COMMIT
# Completed on Mon Jun 17 15:30:48 2024
SITE B - ip route list table 220:
root@ns3141268:~# ip route list table 220
192.168.58.0/24 via 51.77.246.XX dev vmbr0 proto static src 192.168.60.1
SITE B - Ping from Router to site SITE A Router:
root@esxi:~# ping 192.168.58.1
PING 192.168.58.1 (192.168.58.1) 56(84) bytes of data.
64 bytes from 192.168.58.1: icmp_seq=1 ttl=64 time=1.80 ms
64 bytes from 192.168.58.1: icmp_seq=2 ttl=64 time=1.84 ms
SITE B - Ping from Router to site SITE A Host:
root@esxi:~# ping 192.168.58.254
PING 192.168.58.254 (192.168.58.254) 56(84) bytes of data.
64 bytes from 192.168.58.254: icmp_seq=1 ttl=63 time=2.03 ms
64 bytes from 192.168.58.254: icmp_seq=2 ttl=63 time=2.03 ms
64 bytes from 192.168.58.254: icmp_seq=3 ttl=63 time=2.09 ms
SITE B - Ping from Host to site SITE A Router (NOT WORK):
root@esxi:~# ping 192.168.58.1
PING 192.168.58.1 (192.168.58.1) 56(84) bytes of data.
SITE B - Ping from Host to site SITE A Host(NOT WORK):
root@esxi:~# ping 192.168.58.254
PING 192.168.58.254 (192.168.58.254 ) 56(84) bytes of data.
Anyone can help to understand why there is no communication from the hosts of each site?
Best regards
EDIT 1 - Added tcpdump capture
tcpdump capture from Host Site B (192.168.60.254) to Host on site A (192.168.58.254) during ping
Ping output Host site B
root@fwprod:~# ping 192.168.58.254
PING 192.168.58.254 (192.168.58.254) 56(84) bytes of data.
0/70 packets, 100% loss
tcpdump capture Host Site B
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
00:42:02.458474 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1,
length 64
00:42:02.460644 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 1, l
ength 64
00:42:03.470239 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 2,
length 64
00:42:03.472375 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 2, l
ength 64
00:42:04.490231 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 3,
length 64
00:42:04.492287 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 3, l
ength 64
00:42:05.514251 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 4,
length 64
00:42:05.516320 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 4, l
ength 64
tcpdump capture Router Site B
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
22:44:17.553083 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1, length 64
22:44:17.553154 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1, length 64
22:44:17.553158 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1, length 64
22:44:17.553227 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 1, length 64
22:44:17.553227 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 1, length 64
22:44:18.564858 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 2, length 64
22:44:18.564924 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 2, length 64
22:44:18.564928 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 2, length 64
22:44:18.565002 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 2, length 64
22:44:18.565002 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 2, length 64
22:44:19.584836 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 3, length 64
22:44:19.584904 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 3, length 64
22:44:19.584909 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 3, length 64
22:44:19.584977 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 3, length 64
22:44:19.584977 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 3, length 64
22:44:20.608902 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 4, length 64
22:44:20.608965 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 4, length 64
22:44:20.608970 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 4, length 64
22:44:20.609031 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 4, length 64
22:44:20.609031 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 4, length 64
22:44:21.632920 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 5, length 64
22:44:21.632979 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 5, length 64
22:44:21.632984 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 5, length 64
22:44:21.633052 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 5, length 64
22:44:21.633052 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 5, length 64
22:44:22.657009 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 6, length 64
tcpdump capture Router Site A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
22:44:17.553083 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1, length 64
22:44:17.553154 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1, length 64
22:44:17.553158 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1, length 64
22:44:17.553227 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 1, length 64
22:44:17.553227 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 1, length 64
22:44:18.564858 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 2, length 64
22:44:18.564924 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 2, length 64
22:44:18.564928 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 2, length 64
22:44:18.565002 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 2, length 64
22:44:18.565002 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 2, length 64
22:44:19.584836 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 3, length 64
22:44:19.584904 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 3, length 64
22:44:19.584909 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 3, length 64
22:44:19.584977 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 3, length 64
22:44:19.584977 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 3, length 64
22:44:20.608902 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 4, length 64
22:44:20.608965 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 4, length 64
22:44:20.608970 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 4, length 64
22:44:20.609031 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 4, length 64
22:44:20.609031 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 4, length 64
22:44:21.632920 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 5, length 64
22:44:21.632979 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 5, length 64
22:44:21.632984 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 5, length 64
22:44:21.633052 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 5, length 64
22:44:21.633052 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 5, length 64
22:44:22.657009 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 6, length 64
tcpdump capture Host Site A
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
00:44:16.587371 IP 192.168.60.254 > fw.artica.local: ICMP echo request, id 15773, seq 1
, length 64
00:44:16.587410 IP fw.artica.local > 192.168.60.254: ICMP echo reply, id 15773, seq 1,
length 64
00:44:17.599143 IP 192.168.60.254 > fw.artica.local: ICMP echo request, id 15773, seq 2
, length 64
00:44:17.599179 IP fw.artica.local > 192.168.60.254: ICMP echo reply, id 15773, seq 2,
length 64
00:44:18.619118 IP 192.168.60.254 > fw.artica.local: ICMP echo request, id 15773, seq 3
, length 64
00:44:18.619155 IP fw.artica.local > 192.168.60.254: ICMP echo reply, id 15773, seq 3,
length 64
00:44:19.643177 IP 192.168.60.254 > fw.artica.local: ICMP echo request, id 15773, seq 4
, length 64
00:44:19.643208 IP fw.artica.local > 192.168.60.254: ICMP echo reply, id 15773, seq 4,
length 64
pingalso trytraceroute -n. Do thepinghosts have routes to the remote network, and do the targets have routes back again?tsharkortcpdump(the command-line equivalent to Wireshark) on both the sending and receiving IPSec routers. Monitor packets matching the ping source/destination addresses and try the ping again. Do the packets arrive as expected? Do you see any attempts at a return?00:42:02.458474 IP 192.168.60.254 > 192.168.58.254: ICMP echo request, id 15773, seq 1, length 64 00:42:02.460644 IP 192.168.58.254 > 192.168.60.254: ICMP echo reply, id 15773, seq 1, l ength 64