No Traffic via established IKEv2 StrongSWAN Tunnel

Question

I've got a problem I wasn't able to solve in the last days. I've installed StrongSWAN on a Raspberry Pi with Rasbian (Debian GNU/Linux 7.11 (wheezy) / Linux 4.1.19-v7+ armv7l). There is also openVPN running on this Pi. The Subnets are seperated by VLANs (IEEE 802.1q tagged).

network diagram

The intention is to connect my IPad from any location to my LAN as I do it already with my Laptop via openVPN. The tunnel is coming up and everything looks good - But the Traffic. At the moment the Tunnel comes up, I can't access any IP anymore. (At this point I don't want to have Split-Tunneling.) The iPad routing-table looks good

Dest IP/Prefix       Gateway                      IFace
0.0.0.0/0            link#8                       ipsec0
0.0.0.0/0            192.168.99.1 (local Gw)      en0
10.2.200.254         link#8                       ipsec0

The Router itself has no dropping chains in IPTables and no manual rules. When I ping from the IPad I can't see any traffic from the public source IP on my Firewall. There are only the Keepalives (UDP/500 and UDP/4500). So for me it looks like the iPad isn't sending the payload correct.

200.0.0.1 is the dynamic public IP of the remote client.

/etc/ipsec.conf

config setup
  charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
  keyexchange=ikev2
  ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2$
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha$
  dpdaction=clear
  dpddelay=300s
  left=%any
  leftsubnet=0.0.0.0/0
  leftcert=vpnHostCert.pem
  leftid="vpn.site2.example.com"
  leftsendcert=always
  lefthostaccess=yes
  right=%any
  rightdns=10.2.200.254
  rightid="*@site02.example.com"
  rightsourceip=10.102.1.0/24
  righthostaccess=yes

conn IPSec-IKEv2
  auto=add

/var/log/syslog

Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1[1011] to 10.2.250.2[500]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets
Oct 13 13:18:02 RTR-200-254 charon: 06[NET] received packet: from 200.0.0.1[1011] to 10.2.250.2[500] (432 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] looking for an ike config for 10.2.250.2...200.0.0.1
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   candidate: %any...%any, prio 28
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] found matching ike config: %any...%any with prio 28
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] 200.0.0.1 is initiating an IKE_SA
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   proposal matches
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] local host is behind NAT, sending keep alives
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] remote host is behind NAT
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "C=DE, O=Example, CN=Example IPSec CA"
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "CN=ca.vpn.site02.example.com, ST=NDS, L=Somewhere, OU=IT, O=Example, C=DE, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 13 13:18:02 RTR-200-254 charon: 06[NET] sending packet: from 10.2.250.2[500] to 200.0.0.1[1011] (485 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2[500] to 200.0.0.1[1011]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1[64916] to 10.2.250.2[4500]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets
Oct 13 13:18:02 RTR-200-254 charon: 05[NET] received packet: from 200.0.0.1[64916] to 10.2.250.2[4500] (1804 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received end entity cert "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for peer configs matching 10.2.250.2[vpn.site02.example.com]...200.0.0.1[[email protected]]
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   candidate "IPSec-IKEv2", match: 20/19/28 (me/other/ike)
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected peer config 'IPSec-IKEv2'
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   using certificate "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   certificate "C=DE, O=Example, [email protected]" key: 2048 bit RSA
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   using trusted ca certificate "C=DE, O=Example, CN=Example IPSec CA"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] checking certificate status of "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] ocsp check skipped, no ocsp found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate status is not available
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   certificate "C=DE, O=Example, CN=Example IPSec CA" key: 4096 bit RSA
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   reached self-signed root ca with a path length of 0
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of '[email protected]' with RSA signature successful
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_ADDRESS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DHCP attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_NETMASK attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_ADDRESS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DHCP attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer supports MOBIKE
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of 'vpn.site02.example.com' (myself) with RSA signature successful
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2[2] established between 10.2.250.2[vpn.site02.example.com]...200.0.0.1[[email protected]]
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => ESTABLISHED
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] scheduling reauthentication in 9849s
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] maximum IKE_SA lifetime 10389s
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] sending end entity cert "C=DE, O=Example, CN=vpn.site02.example.com"
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] reassigning offline lease to '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] assigning virtual IP 10.102.1.1 to peer '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any6
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] no virtual IP found for %any6 requested by '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] building INTERNAL_IP4_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for us:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  0.0.0.0/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for other:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   candidate "IPSec-IKEv2" with prio 10+2
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] found matching child config "IPSec-IKEv2" with prio 12
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable INTEGRITY_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable INTEGRITY_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   proposal matches
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for us:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for other:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 10.102.1.1/32, received: 0.0.0.0/0 => match: 10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 10.102.1.1/32, received: ::/0 => no match
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] CHILD_SA IPSec-IKEv2{2} established with SPIs cfc7c697_i 09e87caf_o and TS 0.0.0.0/0 === 10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 13 13:18:02 RTR-200-254 charon: 05[NET] sending packet: from 10.2.250.2[4500] to 200.0.0.1[64916] (1772 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2[4500] to 200.0.0.1[64916]

iptables-save

# Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016
*nat
:PREROUTING ACCEPT [333:25621]
:INPUT ACCEPT [104:10720]
:OUTPUT ACCEPT [1264:104724]
:POSTROUTING ACCEPT [1493:119625]
COMMIT
# Completed on Thu Oct 13 13:25:44 2016
# Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016
*filter
:INPUT ACCEPT [22151:4547969]
:FORWARD ACCEPT [7303:2080414]
:OUTPUT ACCEPT [22707:4537290]
COMMIT
# Completed on Thu Oct 13 13:25:44 2016

iptables

eth0      Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.0.254  Bcast:10.2.0.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:507930 errors:0 dropped:0 overruns:0 frame:0
          TX packets:510583 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:436916075 (416.6 MiB)  TX bytes:448900377 (428.1 MiB)

eth0.10   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.10.254  Bcast:10.2.10.255  Maske:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1818 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:497281 (485.6 KiB)

eth0.11   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.11.254  Bcast:10.2.11.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:5857 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4833 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:1402095 (1.3 MiB)  TX bytes:760454 (742.6 KiB)

eth0.20   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.20.254  Bcast:10.2.20.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:472837 (461.7 KiB)

eth0.51   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.51.254  Bcast:10.2.51.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:36720 (35.8 KiB)

eth0.100  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.100.254  Bcast:10.2.100.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:180916 errors:0 dropped:0 overruns:0 frame:0
          TX packets:277135 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:52955753 (50.5 MiB)  TX bytes:368243511 (351.1 MiB)

eth0.110  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.110.254  Bcast:10.2.110.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:507 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1713 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:92936 (90.7 KiB)  TX bytes:526225 (513.8 KiB)

eth0.150  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.150.254  Bcast:10.2.150.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0.200  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.200.254  Bcast:10.2.200.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:4945 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6059 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:596764 (582.7 KiB)  TX bytes:2019159 (1.9 MiB)

eth0.2500 Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.250.2  Bcast:10.2.250.3  Maske:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:313144 errors:0 dropped:0 overruns:0 frame:0
          TX packets:217317 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:379718967 (362.1 MiB)  TX bytes:70217194 (66.9 MiB)

lo        Link encap:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:27589 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27589 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:3368330 (3.2 MiB)  TX bytes:3368330 (3.2 MiB)

tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.100.12.2  P-z-P:10.100.12.1  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:19147 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19569 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100
          RX bytes:3915884 (3.7 MiB)  TX bytes:2446854 (2.3 MiB)

tun1      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.102.0.1  P-z-P:10.102.0.2  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:11134 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11398 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100
          RX bytes:2738720 (2.6 MiB)  TX bytes:7083263 (6.7 MiB)

Any Ideas?

EDIT 14.10.2016 10:37 CEST:

Relevant part of iPMC.mobileconfig

<dict>
    <key>PayloadDescription</key>
        <string>VPN-Setup for site2.example.com_IPSec</string>
    <key>PayloadDisplayName</key>
        <string>VPN-Config site2.example.com_IPSec</string>
    <key>PayloadIdentifier</key>
        <string>com.example.admin.JohnDoe.vpn.2.config</string>
    <key>PayloadType</key>
        <string>com.apple.vpn.managed</string>
    <key>PayloadUUID</key>
        <string>87c9ece2-3e6b-56a4-8bed-2f4cba277d93</string>
    <key>PayloadVersion</key>
        <real>1</real>
    <key>UserDefinedName</key>
        <string>site2.example.com_IPSec</string>
    <key>VPNType</key>
        <string>IKEv2</string>
    <key>IKEv2</key>
        <dict>
    <key>AuthenticationMethod</key>
    <string>Certificate</string>
    <key>PayloadCertificateUUID</key>
    <string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
    <key>RemoteAddress</key>
    <string>vpn.site2.example.com</string>
    <key>RemoteIdentifier</key>
    <string>vpn.site2.example.com</string>
    <key>LocalIdentifier</key>
    <string>[email protected]</string>
    <key>AuthenticationMethod</key>
    <string>Certificate</string>
    <key>ExtendedAuthEnabled</key>
    <integer>0</integer>
    <key>PayloadCertificateUUID</key>
    <string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
    <key>OnDemandEnabled</key>
    <integer>0</integer>
    <key>IKESecurityAssociationParameters</key>
        <dict>
            <key>EncryptionAlgorithm</key>
            <string>AES-128</string>
            <key>IntegrityAlgorithm</key>
            <string>SHA1-96</string>
            <key>DiffieHellmanGroup</key>
            <integer>14</integer>
        </dict>
    <key>ChildSecurityAssociationParameters</key>
        <dict>
            <key>EncryptionAlgorithm</key>
            <string>AES-128</string>
            <key>IntegrityAlgorithm</key>
            <string>SHA1-96</string>
            <key>DiffieHellmanGroup</key>
            <integer>14</integer>
        </dict>
        </dict>
    <key>IPv4</key>
        <dict>
    <key>OverridePrimary</key>
    <integer>1</integer>
        </dict>
</dict>
<dict>
    <key>PayloadDisplayName</key>
        <string>VPN-CA-Certificate</string>
    <key>PayloadDescription</key>
        <string>Setup of a VPN-CA-Certificate</string>
    <key>PayloadIdentifier</key>
        <string>com.example.admin.JohnDoe.vpn.2.cacertificate</string>
    <key>PayloadType</key>
        <string>com.apple.security.root</string>
    <key>PayloadUUID</key>
        <string>0b541041-c649-5563-adf9-2d56ed801ad3</string>
    <key>PayloadVersion</key>
        <integer>1</integer>
    <key>PayloadCertificateFileName</key>
        <string>vpn_2_ca.crt</string>
    <key>PayloadContent</key>
        <data>
    XX0xXX0XXXxXXxXXXXXXXXXXX0XXXX0xXX0xXx0XXXXXXXXXXXx0
    X0X0XXXXX0xXXxxXx0XxXX0XX0X0XXXXXxxxXxxxxxXXXXXXXxXX
    XXxXXXXXXXXxX0XxXXXXXxxXX0XXXXxXxxXXXxxXXxXXx0XXx0xx
                    [... cut away ...]
    x0xXXXx0xXXXxXxXxXxXXXxXXxx0xXXxXx0XXxXXXXXxXxxXxXXx
    XXXXXXx0X0X0xXx0x0XXXxXXXxX0XXXxXxxxXXxxxXxXXxx0XX0X
    XxXxXxxxxX0XXXXXXXXXx0xXXXX0X0XxXxX0Xx0xXX0xXX0XXXXX
    XxXXXxxXXXXXXX0xXX0X
        </data>
</dict>
<dict>
    <key>PayloadDisplayName</key>
        <string>VPN-Client-Certificate</string>
    <key>PayloadDescription</key>
        <string>Setup of a Client-Certificate</string>
    <key>PayloadIdentifier</key>
        <string>com.example.admin.JohnDoe.vpn.2.certificate</string>
    <key>PayloadType</key>
        <string>com.apple.security.pkcs12</string>
    <key>PayloadUUID</key>
        <string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
    <key>PayloadVersion</key>
        <integer>1</integer>
    <key>PayloadCertificateFileName</key>
        <string>vpn_2.p12</string>
    <key>Password</key>
        <string>veryverylongandcomplexpassword;-)</string>
    <key>PayloadContent</key>
        <data>
    YYYYyYYYYyYYYYYYYYyYYYy8YYYYYyYYYYYYyyY/YYYYyyYYYyyY
    YYyYYYy8YYYYYyYYYyyyyyyyYyYYYYYY8YYYYyYYyyyYYYyYYYyY
    YyyYYYy8YYYYYYYyYyYYyyyYYYYYYyYYYyyYyYYYyYYYYy+8yYy8
                    [... cut away ...]
    YYyy8YYyyYyY8yYYYyyyYYy8yyY8YYyYYYyYYYy8YYYYYYYyYyyY
    YyYyYY8YYyYyYYYYYyYYYY8YYYYYYYYYyyY8YYyYYyYyYYYYYYY8
    YYYyYYYyYYyYYYyYYyYyYYYYYYyyYYy//Yy8yYYY8/8Y8y88yYY/
    YYy8y8YyyYY8yYYYYYY=
        </data>
</dict>

I have here `fragmentation = yes`, though I am doing ikev1. Does it help? — Rui F Ribeiro, Oct 13 '16 at 14:54
I also have `type = tunnel` *but* I think you do need it in ikev2. Do not have the time to double check it today. — Rui F Ribeiro, Oct 14 '16 at 10:15
btw, are you able in the mobile config to activate the option "Show VPN status in menu bar"?...been trying it, but missing something. — Rui F Ribeiro, Oct 14 '16 at 10:17
I am using strongswan with Debian 8 at home, and PfSense at work. Watch out for old bugs. Beware a VPN server ought to have a public IP address : "local host is behind NAT, remote host is behind NAT", as per your logs, is not the best of the ideas. — Rui F Ribeiro, Oct 14 '16 at 10:23
Referring to the [manual](https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection) `type = tunnel` is default and has not to be declared. - NAT/NAT: It's my home connection and the only possible (payable) way. The tunnel is establishing, so it shall be no problem. — Skjall, Oct 14 '16 at 11:42
mobileconfig/show...: Nope. No Idea. It's a Mac thing.. I don't have one :) — Skjall, Oct 14 '16 at 11:49
At home, I made login in the ISP modem, and declared one of the ports on their internal switch as bridged ;) Some ISPs allow you to do that, in my case it is informally, but I surely am not the only one. — Rui F Ribeiro, Oct 14 '16 at 12:03
(and it is one of the reasons I am still their customer. I am not particularly impressed with the stability of my upload) — Rui F Ribeiro, Oct 14 '16 at 12:28
No Mac, iOS. That is an important detail. Beware that in iOS9 and before ikev2 is only allowed by profile; after iOS10 you can do without the profile. — Rui F Ribeiro, Oct 14 '16 at 12:48

No Traffic via established IKEv2 StrongSWAN Tunnel

0 Answers0