[strongSwan] Connecting from CENTOS to Meraki MX100

VTwin Farriers vtwin at cox.net
Wed Jan 19 12:22:45 CET 2022 

I am having difficulty getting connected to a Meraki MX100 at a client site. I do not have administrative control over the Meraki so specifics about how it is configured I cannot address, although I can answer some questions. My machine is a CentOS 8.5 machine running strongswan 5.9.4-2 installed off the epel repo.

My local subnet at home is 192.168.0.0/17 and I use iptables to MASQ outbound traffic from my home network over my cable internet connection. The remote network is 192.168.227.0/24. We are using IKEv1 with a pre-shared key AES256, SHA1, DH2.

My symptom is I seem to connect but none of my traffic appears to get routed. My firewall is configured to allow traffic to pass. I have a logging rule in the chain which will log to syslog any rejected traffic, and I'm not seeing anything. ifconfig shows packets going out over the ipsec0 interface, so it appears when I try to ping, the traffic is not rejected but is transmitted.

I'm a bit out of my depth here. I've worked with PPTP and OpenVPN before, but Strongswan is a bit convoluted. 

Any suggestions on where to look next would be appreciated. I'm out of ideas here. My only other alternative is to use a Cisco AnyConnect client from a Windows (which I absolutely despise) box. I prefer to get this CentOS box up to give me greater flexability.

Thank you,

Vinny


My ipsec.conf file:

config setup

conn %default
ikelifetime=28800s
rekeymargin=3600s 
keyingtries=%forever
keyexchange=ikev1
aggressive=no
authby=psk
dpdaction=restart
dpddelay=30
ike=aes256-sha1-modp1024
esp=aes256-sha1


My swanctl.conf file:

connections {
linktowork {
remote_addrs=W.X.Y.Z
local_addrs=%defaultroute
children {
remotesite {
start_action=trap
local_ts=192.168.0.0/17
remote_ts=192.168.227.0/24
esp_proposals = aes256-sha1
}
}
version = 1
proposals = aes256-sha1-modp1024
local-0 {
auth = psk
id = A.B.C.D
}
remote-0 {
auth = psk
id = %any
}
}
}
secrets {
ike-%any%any {
secret = "SanitizedForYourProtection"
id-0=%any
id-1=%any
}
ike-A-B-C-DW-X-Y-Z {
secret = "SanitizedForYourProtection"
id-0=A.B.C.D
id-1=W.X.Y.Z
}
}


[root at MyRouter strongswan]# strongswan start
Starting strongSwan 5.9.4 IPsec [starter]...

[root at MyRouter strongswan]# swanctl --load-conns
loaded connection 'linktowork'
successfully loaded 1 connections, 0 unloaded

[root at MyRouter strongswan]# strongswan up linktowork
initiating Main Mode IKE_SA linktowork[18] to W.X.Y.Z
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 0.0.0.0[500] to W.X.Y.Z[500] (180 bytes)
received packet: from W.X.Y.Z[500] to A.B.C.D[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from A.B.C.D[500] to W.X.Y.Z[500] (244 bytes)
received packet: from W.X.Y.Z[500] to A.B.C.D[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
faking NAT situation to enforce UDP encapsulation
generating ID_PROT request 0 [ ID HASH ]
sending packet: from A.B.C.D[4500] to W.X.Y.Z[4500] (76 bytes)
received packet: from W.X.Y.Z[4500] to A.B.C.D[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA linktowork[18] established between A.B.C.D[A.B.C.D]...W.X.Y.Z[W.X.Y.Z]
scheduling rekeying in 13395s
maximum IKE_SA lifetime 14835s
generating QUICK_MODE request 3163481014 [ HASH SA No ID ID ]
sending packet: from A.B.C.D[4500] to W.X.Y.Z[4500] (188 bytes)
received packet: from W.X.Y.Z[4500] to A.B.C.D[4500] (188 bytes)
parsed QUICK_MODE response 3163481014 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA linktowork{2} established with SPIs 12e384e3_i c502865c_o and TS 192.168.0.0/17 === 192.168.227.0/24
connection 'linktowork' established successfully


[root at MyRouter strongswan]# strongswan status
Routed Connections:
linktowork{1}: ROUTED, TUNNEL, reqid 1
linktowork{1}: 192.168.0.0/17 === 192.168.227.0/24
Security Associations (1 up, 0 connecting):
linktowork[18]: ESTABLISHED 2 minutes ago, A.B.C.D[A.B.C.D]...W.X.Y.Z[W.X.Y.Z]
linktowork{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 12e384e3_i c502865c_o
linktowork{2}: 192.168.0.0/17 === 192.168.227.0/24


[root at MyRouter strongswan]# ip route show table 220
192.168.227.0/24 dev ipsec0 proto static src 192.168.127.254

[root at MyRouter strongswan]# ping 192.168.227.27
PING 192.168.227.27 (192.168.227.27) 56(84) bytes of data.
^C
--- 192.168.227.27 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4071ms

[root at MyRouter strongswan]# ifconfig ipsec0
ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
inet6 fe80::ad6a:4199:5123:6d81 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15 bytes 1228 (1.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220119/7b350a26/attachment.html>

More information about the Users mailing list