Gateway to Gateway - Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan
Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan
Strongswan supports Gateway-to-Gateway (site-to-site) and Road warrior types of VPN. In first type, network traffic is encrypted/decrypted on the gateway (entrance/exit) of an organization. However in Road warrior case, traffic encrypted from the end client (machine) to remote end gateway. In this article, we will explain creation of tunnel between two sites of an organization to secure the communication. Strongswan based VPN server/gateway placement is shown in the following figure. We want to secure communication between 10.1.0.0/16 and 11.1.0.0/16 networks of organization.
As shown in the above figure, we are interested to secure the communication from A to B and vice versa. It is important to make sure the routing of Strongswan based VPN Gateways in the organization network. We assume that machine from office A can ping a machine in the network of B office . This will ensure the connectivity of devices in the network.
In our previous we have installed the strongswan on the VM. However, in production environment, strongswan is installed on the hardware for the better performance. In this article, we are using VM to show the tunnel creation between two sites.
By default, configuration of strongswan are under /usr/local/etc/ directory which is shown in the following figure.
Gateway-to-Gateway tunnel (Pre shared key)
In this tunnel, we are using shared secret between two machine. This shared secrets used by Diffie-Hellman algorithm for mutual authentication before sharing key for symmetric encryption algorithm.Configuration of Stronswan on Local (left) machine (A side)
ipsec.conf is the main configuration file of strongswan. In this file, we define parameters of policy for tunnel such as encryption algorithms,hashing algorithm etc.config setupipsec.secrets file contains the secret information such as shared key, smart cards pin and password of private key etc. In our case, pre shared key between A and B is sharedsecret
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.1.10
leftsubnet=10.1.0.0/16
right=192.168.1.11
rightsubnet=11.1.0.0/16
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
192.168.1.10 192.168.1.11 : PSK 'sharedsecret'
Configuration of Strongswan on Remote (Right) machine (B side)
config setupand the contents of ipsec.secrets of remote site are
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.1.11
leftsubnet=11.1.0.0/16
right=192.168.1.10
rightsubnet=10.1.0.0/16
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
192.168.1.11 192.168.1.10 : PSK 'sharedsecret'After changes at both sides, run following command for tunnel creation.
# ipsec restart
To check the status of tunnel on both machines, run following command in the terminal. Output of the command for local and remote machine is shown below.
#ipsec statusall
Output of ipsec statusall on VM A
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-24-generic, x86_64):
uptime: 8 minutes, since Jan 03 13:44:32 2015
malloc: sbrk 1351680, mmap 0, used 250048, free 1101632
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.1.10
Connections:
tunnel: 192.168.1.10...192.168.1.11 IKEv2, dpddelay=30s
tunnel: local: [192.168.1.10] uses pre-shared key authentication
tunnel: remote: [192.168.1.11] uses pre-shared key authentication
tunnel: child: 10.1.0.0/16 === 11.1.0.0/16 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 8 minutes ago, 192.168.1.10[192.168.1.10]...192.168.1.11[192.168.1.11]
tunnel[1]: IKEv2 SPIs: cafdf24210e8e503_i* 7ee6557a1d297e35_r, pre-shared key reauthentication in 25 minutes
tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
tunnel{1}: INSTALLED, TUNNEL, ESP SPIs: cbd51ed8_i c7243b49_o
tunnel{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
tunnel{1}: 10.1.0.0/16 === 11.1.0.0/16
Output of ipsec statusall on VM B
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-24-generic, x86_64):ip command with xfrm parameter can be used to see the policies and states of ipsec tunnel on linux box. Output of the command ip xfrm states on both devices is shown below.
uptime: 6 minutes, since Jan 03 13:44:21 2015
malloc: sbrk 1351680, mmap 0, used 250944, free 1100736
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.1.11
Connections:
tunnel: 192.168.1.11...192.168.1.10 IKEv2, dpddelay=30s
tunnel: local: [192.168.1.11] uses pre-shared key authentication
tunnel: remote: [192.168.1.10] uses pre-shared key authentication
tunnel: child: 11.1.0.0/16 === 10.1.0.0/16 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 6 minutes ago, 192.168.1.11[192.168.1.11]...192.168.1.10[192.168.1.10]
tunnel[3]: IKEv2 SPIs: cafdf24210e8e503_i 7ee6557a1d297e35_r*, pre-shared key reauthentication in 36 minutes
tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
tunnel{3}: INSTALLED, TUNNEL, ESP SPIs: c7243b49_i cbd51ed8_o
tunnel{3}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
tunnel{3}: 11.1.0.0/16 === 10.1.0.0/16
Output of ip xfrm state command on VM A
src 192.168.1.10 dst 192.168.1.11
proto esp spi 0xc7243b49 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x3077c888d622b899532a5f1b8e9399efe65684ffa694bf072ea4de8a44898b2f 128
enc cbc(aes) 0x8fafb23d824c1e898dc42f6d59b14c52e6a33b2183c0c9c762de8cacfd355a6f
src 192.168.1.11 dst 192.168.1.10
proto esp spi 0xcbd51ed8 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x50b63121299e97339cf2a78bb86b958ae0c3e594b1c535a0a12ce0a165d4e0ef 128
enc cbc(aes) 0x41447fea3021a3b13838f076dbe72139389be93960a641664bb7e1e6fc34b01a
Output of ip xfrm state command on VM B
src 192.168.1.11 dst 192.168.1.10As shown in the figure, XFRM command is showing sensitive information (keys). So please avoid such commands on the production strongswan server.
proto esp spi 0xcbd51ed8 reqid 3 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x50b63121299e97339cf2a78bb86b958ae0c3e594b1c535a0a12ce0a165d4e0ef 128
enc cbc(aes) 0x41447fea3021a3b13838f076dbe72139389be93960a641664bb7e1e6fc34b01a
src 192.168.1.10 dst 192.168.1.11
proto esp spi 0xc7243b49 reqid 3 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x3077c888d622b899532a5f1b8e9399efe65684ffa694bf072ea4de8a44898b2f 128
enc cbc(aes) 0x8fafb23d824c1e898dc42f6d59b14c52e6a33b2183c0c9c762de8cacfd355a6f
I did the exact same steps as above on two local vms on my laptop.
I am very new to ipsec and strongswan and was testing out a possible was to configure strongswan on two local vms on my laptop itself.
But when I execute:
ipsec statusall - I see no connections.
Both the vms are running ubuntu 14.04 and strongswan version is: strongSwan U5.1.2/K3.13.0-48-generic
One vm has the ifconfig as:
eth0 10.0.2.15/24
eth1 192.168.0.100/24
The other has the foll. ifconfig:
eth0 10.0.2.15/24
eth1 192.168.0.101/24
In ipsec.conf(say on the left machine), I have added the following:
conn tunnel #
left=192.168.0.100
leftsubnet=10.0.2.15/24
right=192.168.0.101
rightsubnet=10.0.2.15/24
I would be grateful if you could let me know if I am doing something wrong with the configuration or if the setup itself is wrong as both the subnets are under 10.0.2.15 itself as both the vms are on my local laptop machine itself. Please suggest.
Thanks & Best Regards
Sumanth
do following things and get back to us.
please change subnet on one VM. You have same subnet on both sides.
please share complete details. ipsec.conf/ipsec.secrets files and logs as well.
please also share /var/log/syslog and /var/log/authlog with us.
Thanks for the reply and especially the article.
The ipaddress of my VM_A looks like this:
eth0:10.0.2.15
eth1:192.168.1.130
The ipaddress of my VM_B looks like this:
eth0:10.0.2.15
eth1:192.168.1.131
and the foll. cmd gives the below output:
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-48-generic, x86_64):
uptime: 4 minutes, since May 26 08:34:35 2015
malloc: sbrk 2412544, mmap 0, used 323616, free 2088928
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
10.0.2.15
192.168.1.131
Connections:
tunnel: 192.168.1.131...192.168.1.130 IKEv2, dpddelay=30s
tunnel: local: [192.168.1.131] uses pre-shared key authentication
tunnel: remote: [192.168.1.130] uses pre-shared key authentication
tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 4 minutes ago, 192.168.1.131[192.168.1.131]...192.168.1.130[192.168.1.130]
tunnel[1]: IKEv2 SPIs: 210a80be506b3db6_i* b605f71c45464001_r, pre-shared key reauthentication in 35 minutes
tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
But ip xfrm state gives nothing as Luca had mentioned below.
I believe it is mostly because both the vms are in the same subnet. Please let me know if my understanding is correct?
Also i had another question. In the above log , one of the lines in the Connections part, suggests that:
tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL,
So does it mean that any computer within this subnet(192.168.1.0/255) has ipsec connectivity?
My host has 192.168.1.2 ip address and everything is in 192.168.1.0/255 subnet
with both the vms ipaddress being 192.168.1.130 & 192.168.1.131.
What does the above log indicate? Pls suggest.
Thank You
Sumanth
Thanks for comments.
1. can you install another tool (ipsec-tools) on your VM's. You can download it from http://ipsec-tools.sourceforge.net/
Once you installed the tool, it will give you set of commands and "setkey" is one of them.
Run "setkey -D" and share your output with me. It will show the security association between to parties.
2. line child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL in your case indicate that IPSEC tunnel between 192.168.1.130 and 192.168.1.131 IP addresses Both IP's are from 192.168.1.0/24 network.
you can say 192.168.1.131/130 are the gateways of your network which are used for IPsec tunnel.
I have same configuration but for me its not showing any connection, As I am seeing in above comment you also faced same issue can you please help me to resolve this issue.
The ipaddress of my VM_A looks like this:
eth0:10.0.2.15
eth1:192.168.56.101
The ipaddress of my VM_B looks like this:
eth0:10.0.2.15
eth1:192.168.56.102
Thank You
Hanish
I have a problem.
I want to create a tunnel ipsec between two VM (Fedora) on my laptop. I can ping from A to B and from B to A.
Ip VM A=192.168.1.130
Ip VM B=192.168.1.131
Default Gateway 192.168.1.1 and subnet 192.168.1.0/24 for both.
ipsec.config on VM A:
# ipsec.conf - strongSwan IPsec configuration file
config setup
#charondebug="all"
#uniqueids=yes
#strictcrlpolicy=no
#conn %default
#conn tunnel #
#left=192.168.1.130
#leftsubnet=192.168.1.0/24
#right=192.168.1.131
#rightsubnet=192.168.1.0/24
#ike=aes256-sha2_256-modp1024!
#esp=aes256-sha2_256!
#keyingtries=0
#ikelifetime=1h
#lifetime=8h
#dpddelay=30
#dpdtimeout=120
#dpdaction=clear
#authby=secret
#auto=start
#keyexchange=ikev2
#type=tunnel
ipsec.config on VM B
# ipsec.conf - strongSwan IPsec configuration file
config setup
#charondebug="all"
#uniqueids=yes
#strictcrlpolicy=no
#conn %default
#conn tunnel #
#left=192.168.1.131
#leftsubnet=192.168.1.0/24
#right=192.168.1.130
#rightsubnet=192.168.1.0/24
#ike=aes256-sha2_256-modp1024!
#esp=aes256-sha2_256!
#keyingtries=0
#ikelifetime=1h
#lifetime=8h
#dpddelay=30
#dpdtimeout=120
#dpdaction=clear
#authby=secret
#auto=start
#keyexchange=ikev2
#type=tunnel
ipsec.secrets Vm A
192.168.1.130 192.168.1.131 : PSK 'sharedsecret'
ipsec.secrets Vm B
192.168.1.131 192.168.1.130 : PSK 'sharedsecret'
This is a command ipsec statuall on a Vm B for example:
[root@localhost ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.17.4-301.fc21.x86_64, x86_64):
uptime: 7 seconds, since May 17 11:57:35 2015
malloc: sbrk 1470464, mmap 0, used 298288, free 1172176
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.1.131
Connections:
Security Associations (0 up, 0 connecting):
none
Now i have many doubts:
1)
I have only one NIC in both VM, for example this is ifconfig on the Vm A:
eno16777736: flags=4163 mtu 1500
inet 192.168.1.130 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fede:b771 prefixlen 64 scopeid 0x20
ether 00:0c:29:de:b7:71 txqueuelen 1000 (Ethernet)
RX packets 54817 bytes 76430363 (72.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29712 bytes 2506960 (2.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 0 (Local Loopback)
RX packets 8 bytes 800 (800.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 800 (800.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
This is a problem? If yes, how create the second Nic?
2)Ip forwarding must to be active? In a other tutorial i found that this commando before launch ipsec:
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
$ echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
Thanks for the solution.
# mean comments , so you have disabled every thing in the ipsec.conf file. Please remove # and check again.
You can check /var/log/syslog as well for further troubleshooting.
Listening IP addresses:
192.168.1.130
Connections:
tunnel: 192.168.1.130...192.168.1.131 IKEv2, dpddelay=30s
tunnel: local: [192.168.1.130] uses pre-shared key authentication
tunnel: remote: [192.168.1.131] uses pre-shared key authentication
tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 8 seconds ago, 192.168.1.130[192.168.1.130]...192.168.1.131[192.168.1.131]
tunnel[1]: IKEv2 SPIs: 5fbeb22285363d2a_i* eec4cf2b8fbafb96_r, pre-shared key reauthentication in 40 minutes
tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Some questions:
1)Why the file log in var/log/ doesn't exist?
2)This is important: my target is capture packets ESP with wireshark. Now inthis situation all packets are not ESP but TCP, UDP, ecc.. why? The tunnel between the two VM is Up...
I remember that that default GW of two VM are the router, 192.168.1.1
3)Finally i want this scene:
PC A ---GATEWAY A(VM A) ---tunnel--- GATEWAY B (VM B) ---- PC B
But all are in the same subnet e and Gateway A and B are own VM with only one NIC. How connect PC A to PC B with the tunnel?
Thanks a lot!!
you can the check the status of tunnel using "ip xfrm state" command .
1. Please check your path. It is /var/log/syslog not var/log (slash is important)
2. It will show ESP once you sent traffic from one node to other and sniff on outer interface (Left and Right IP address)
3. I will check this part myself and then i will be back with solution.
I have VM A (192.168.1.130) and VM B (192.168.1.131) and both VMs have the same gateway for the internet connection, my home router, 192.168.1.1.
How send traffic from A to B for to show packets ESP in Wireshark? I tryed with ping but the protocol is ICMP. Other example? Thanks!
# ip xfrm state
[root@computer]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.17.4-301.fc21.x86_64, x86_64):
uptime: 8 minutes, since May 19 09:48:23 2015
malloc: sbrk 1470464, mmap 0, used 317264, free 1153200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.1.130
Connections:
tunnel: 192.168.1.130...192.168.1.131 IKEv2, dpddelay=30s
tunnel: local: [192.168.1.130] uses pre-shared key authentication
tunnel: remote: [192.168.1.131] uses pre-shared key authentication
tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 7 minutes ago, 192.168.1.130[192.168.1.130]...192.168.1.131[192.168.1.131]
tunnel[1]: IKEv2 SPIs: a05bdd1af769fdb7_i* 828175c706066feb_r, pre-shared key reauthentication in 30 minutes
tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
[root@computer]# ip xfrm state
[root@computer]#
I try also ip xfrm state show but nothing..
Last question:
I have PC A ----GW A----tunnel---GW B------PC B
GW A and GW B have gateway my home router, 192.168.1.1 and have internet connection.
PC A have a GW A like gateway, and PC B have GW B too.
PC A can ping PC B but both haven't internet access. Why?
Most probably you internet traffic is not going outside.
1) Why do i have to disable firewalld with the command "systemctl stop firewalld" on my two gateway for ping leftsubnet to rightsubnet?
2)Why do i have to launch the "ipsec restart" command twice to open the tunnel?
The first time:
Security Associations (1 up, 0 connecting):
tunnel[2]: ESTABLISHED 21 seconds ago, 172.16.75.2[172.16.75.2]...172.16.75.1[172.16.75.1]
tunnel[2]: IKEv2 SPIs: de3400a4281e14ca_i 8391c3b42217f221_r*, pre-shared key reauthentication in 47 minutes
tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
The second time:
tunnel[2]: ESTABLISHED 32 seconds ago, 172.16.75.2[172.16.75.2]...172.16.75.1[172.16.75.1]
tunnel[2]: IKEv2 SPIs: 735da7aa6f9d93d0_i 89d9cb265fc41166_r*, pre-shared key reauthentication in 42 minutes
tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c9ccfe10_i c8df7fb5_o
tunnel{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
tunnel{2}: 192.168.1.0/24 === 192.168.0.0/24
I hope you answer this question!
2. ipsec restart reload the changes of configuration files. ipsec restart basically initiates the IKE and ESP parameters with 2nd device. To identify the problem i would recommend to you please first run "ipsec stop" on both sides and then "ipsec start" . It may solve the problem.
The routes are added (table 220) and the iptables rules are added, but I think the firewalld rules must be interfering somewhere. But where? I'm just not seeing it. Any suggestions?
Can you check your end to end ping without IPSEC ?
If yes than we will move ahead.
what is output of ipsec statusall command ?
I did the exact same steps as above on two local vms on my machine.
I am new to ipsec and strongswan and was testing out a possible was to configure strongswan on two local vms on my machine itself.
But when I execute:
ipsec statusall - I see no connections.
Both the vms are running ubuntu 12.04 and strongswan version is: strongSwan U5.1.2/K3.13.0-48-generic
One vm has the ifconfig as:
eth0 10.0.2.15/24
eth1 192.168.56.101/24
The other has the foll. ifconfig:
eth0 10.0.2.15/24
eth1 192.168.56.102/24
I would be grateful if you could let me know if I am doing something wrong with the configuration or if the setup itself is wrong as both the subnets are under 10.0.2.15 itself as both the vms are on my local machine itself. Please suggest.
Thanks & Best Regards
Hanish
You need to start ipsec restart on both VMs before checking Tunnel status. you can check the status of tunnel in the syslog as well