<div dir="ltr"><br clear="all"><div>Hi, I'm looking for some help with a VPN I have set up. This VPN connects two AWS VPCs, and is a learning opportunity for me, in preparation for a larger project next year. <br><br>In this case, I have 4 computers, two being strongswan boxes, with two client machines. the layout is such:<br><br>172.16.20.24 <=> 172.16.20.13 <=> 172.31.26.241 <=> 172.31.18.117<br><br>where 172.16.20.13 and 172.31.26.241 are strongswan boxes, with an IPSec tunnel between them. 172.16.20.24 and 172.16.20.13 can ping each other, and 172.31.26.241 and 172.31.18.117 can ping each other.<br><br>172.16.20.24 attempts to ping 172.31.18.117 over the tunnel.<br><br>Currently, routing between the VPCs is limited to the strongswan boxes, to ensure that the client traffic traverses the tunnel.<br><br>for this test, client machines are statically routing the target machine to the VPN machines, and when I ping from 18.117 to 20.24, I see the packet (twice in tcpdump) at 26.241, but it does not see traffic on the VPN, nor on the receiving side.<br><br>thanks in advance, m<br><br>All seems well, and the tunnels come up (conn ec2test2):<br><br>Connections:<br> ec2test2: 172.31.26.241...172.16.20.13 IKEv2<br> ec2test2: local: [172.31.26.241] uses pre-shared key authentication<br> ec2test2: remote: [172.16.20.13] uses pre-shared key authentication<br> ec2test2: child: <a href="http://172.31.18.117/32">172.31.18.117/32</a> === <a href="http://172.16.20.24/32">172.16.20.24/32</a> TUNNEL<br>Security Associations (1 up, 0 connecting):<br> ec2test2[8]: ESTABLISHED 23 seconds ago, 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]<br> ec2test2[8]: IKEv2 SPIs: e048424b128299d7_i* 5790cae7fadc96ff_r, pre-shared key reauthentication in 7 hours<br> ec2test2[8]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br> ec2test2{73}: INSTALLED, TUNNEL, reqid 12, ESP in UDP SPIs: c1ce842f_i cc636877_o<br> ec2test2{73}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes<br> ec2test2{73}: <a href="http://172.31.18.117/32">172.31.18.117/32</a> === <a href="http://172.16.20.24/32">172.16.20.24/32</a><br><br>ipsec.conf:<br>conn ec2test2<br> right=172.16.20.13<br> left=172.31.26.241<br> leftfirewall=yes<br> rightsubnet=<a href="http://172.16.20.24/32">172.16.20.24/32</a><br> leftsubnet=<a href="http://172.31.18.117/32">172.31.18.117/32</a><br> rightfirewall=yes<br> ike=aes256-sha1-modp1536!<br> keyexchange=ikev2<br> ikelifetime=28800s<br> esp=aes256-sha1-modp1536!<br> keylife=3600s<br> rekeymargin=540s<br> type=tunnel<br> compress=no<br> authby=secret<br> mark=%unique<br> auto=start<br> keyingtries=%forever<br> forceencaps=yes<br> mobike=no<br><br><br>firewall rules seem ok (they are added by strongswan):<br>[root@ip-172-31-26-241 ec2-user]# iptables -S<br>-P INPUT ACCEPT<br>-P FORWARD ACCEPT<br>-P OUTPUT ACCEPT<br>-A FORWARD -s <a href="http://172.16.20.24/32">172.16.20.24/32</a> -d <a href="http://172.31.18.117/32">172.31.18.117/32</a> -i eth0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT<br>-A FORWARD -s <a href="http://172.31.18.117/32">172.31.18.117/32</a> -d <a href="http://172.16.20.24/32">172.16.20.24/32</a> -o eth0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT<br><br>[root@ip-172-31-26-241 ec2-user]# ip xfrm pol<br>src <a href="http://172.31.18.117/32">172.31.18.117/32</a> dst <a href="http://172.16.20.24/32">172.16.20.24/32</a> <br> dir out priority 367231 ptype main <br> mark 0xc/0xffffffff<br> tmpl src 172.31.26.241 dst 172.16.20.13<br> proto esp spi 0xcc636877 reqid 12 mode tunnel<br>src <a href="http://172.16.20.24/32">172.16.20.24/32</a> dst <a href="http://172.31.18.117/32">172.31.18.117/32</a> <br> dir fwd priority 367231 ptype main <br> mark 0xc/0xffffffff<br> tmpl src 172.16.20.13 dst 172.31.26.241<br> proto esp reqid 12 mode tunnel<br>src <a href="http://172.16.20.24/32">172.16.20.24/32</a> dst <a href="http://172.31.18.117/32">172.31.18.117/32</a> <br> dir in priority 367231 ptype main <br> mark 0xc/0xffffffff<br> tmpl src 172.16.20.13 dst 172.31.26.241<br> proto esp reqid 12 mode tunnel<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> socket in priority 0 ptype main <br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> socket out priority 0 ptype main <br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> socket in priority 0 ptype main <br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> socket out priority 0 ptype main <br>src ::/0 dst ::/0 <br> socket in priority 0 ptype main <br>src ::/0 dst ::/0 <br> socket out priority 0 ptype main <br>src ::/0 dst ::/0 <br> socket in priority 0 ptype main <br>src ::/0 dst ::/0 <br> socket out priority 0 ptype main <br><br>[root@ip-172-31-26-241 ec2-user]# ip xfrm state<br>src 172.31.26.241 dst 172.16.20.13<br> proto esp spi 0xcc636877 reqid 12 mode tunnel<br> replay-window 0 flag af-unspec<br> mark 0xc/0xffffffff<br> auth-trunc hmac(sha1) 0xf323a6acb5a1517bba18285fa54a3d51e237a4de 96<br> enc cbc(aes) 0xccb4bea13f0bf1a8fa24dac0de7dd73751005dc85a271a3f484bae125475808e<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>src 172.16.20.13 dst 172.31.26.241<br> proto esp spi 0xc1ce842f reqid 12 mode tunnel<br> replay-window 32 flag af-unspec<br> auth-trunc hmac(sha1) 0xa6e93c716c71a248b716bcdf5c9d0bbf2266d40f 96<br> enc cbc(aes) 0xffbeff56638b45c0d94bd33b1dfe9ded84aad68866bf1d44e9f01dc2eecf0660<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br> <br><br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div></div></div></div></div>
<br>
<p><font size="1"><b><span>Confidentiality and Privacy Notice:</span> </b>Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.</font></p>