<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Noel,</p>
<p>Sorry as my next question is out of topic. I have been googling
and reading about iptables and not sure if what I am trying to do
next will work or not.</p>
<p>After establishing the IPVPN connection, I added an SNAT entry
into the iptables of host server and it allows me to telnet into
the destination client server.</p>
<p>However, I am unable to get the route working for any other
servers running behind my network. Somehow I am unable to figure
out how to make the host server do the routing.</p>
<p>Would really appreciate if you (or anyone) could provide some
insights.</p>
<p>Chain PREROUTING (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain POSTROUTING (policy ACCEPT)<br>
target prot opt source destination<br>
ACCEPT all -- anywhere anywhere
policy match dir out pol ipsec<br>
SNAT all -- anywhere 192.168.118.0/24
to:192.168.40.34<br>
</p>
<p><br>
</p>
<p>I have created static route in the vswitch which will route all
traffic outgoing to 192.168.118.0/24 to host server 10.15.66.10.</p>
<p>Is that even possible to route traffic into the VPN via this host
server with only 1 NIC?</p>
<p>Here is an example from AWS which I followed but I am still
unable to get it working:</p>
<p><a class="moz-txt-link-freetext" href="https://aws.amazon.com/premiumsupport/knowledge-center/configure-nat-for-vpn-traffic/">https://aws.amazon.com/premiumsupport/knowledge-center/configure-nat-for-vpn-traffic/</a></p>
<p><br>
</p>
<p>Thanks.<br>
</p>
<p><br>
</p>
<div class="moz-signature">
<p><span style="color: #3d85c6; font-family: garamond, serif;
font-size: 12px;"><strong>Liong Kok Foo</strong>
<br>
Team Lead, IT Infra</span></p>
<p dir="auto" style="color: #3f434c; font-family: 'Helvetica
Neue',Helvetica,Arial,sans-serif; font-size: 12px;">REVENUE
GROUP OF COMPANIES
<br>
Email : <a style="background-color: transparent; color:
#005277;" href="mailto:liong.kok.foo@revenue.com.my"
target="_blank" rel="noopener noreferrer">liong.kok.foo@revenue.com.my</a>
<br>
TEL : +60 3-9212 0505 (ext 1004)
<br>
FAX : +60 3-6242 8785
<br>
ADD : Wisma Revenue Group, No. 12, Jalan Udang Harimau 2, Kepong
Business Park, 51200. Kuala Lumpur
<br>
WEB : <a style="background-color: transparent; color: #005277;"
href="http://www.revenue.com.my/" target="_blank"
rel="nofollow noopener noreferrer">www.revenue.com.my</a> (<a
style="background-color: transparent; color: #005277;"
href="http://www.revenue.com.my/" target="_blank"
rel="nofollow noopener noreferrer">http://www.revenue.com.my/</a>)
<br>
WEB : <a style="color: #005277; font-family: 'Helvetica
Neue',Helvetica,Arial,sans-serif; font-size: 12px;
background-color: transparent;"
href="http://www.revpay.com.my/" target="_blank" rel="nofollow
noopener noreferrer">www.revpay.com.my</a><span style="color:
#3f434c; font-family: Helvetica Neue, Helvetica, Arial,
sans-serif;"><span style="font-size: 12px;"> (</span></span><a
style="color: #005277; font-family: 'Helvetica
Neue',Helvetica,Arial,sans-serif; font-size: 12px;
background-color: transparent;"
href="http://www.revpay.com.my/" target="_blank" rel="nofollow
noopener noreferrer">http://www.revpay.com.my/</a><span
style="color: #3f434c; font-family: Helvetica Neue, Helvetica,
Arial, sans-serif;"><span style="font-size: 12px;">)</span></span>
<br>
<img
src="https://docs.google.com/uc?export=download&id=0B_F2pPjGtMZbTzNYamFPVnZjZ2M&revid=0B_F2pPjGtMZbckpnNWxFUHNiVFhOMTJrWUR4V3YxazNlQXBRPQ"></p>
</div>
<div class="moz-cite-prefix">On 10/6/2020 1:52 pm, Noel Kuntze
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e7b2ce3a-09d6-6c4b-2031-79108102e94c@thermi.consulting">
<pre class="moz-quote-pre" wrap="">Hi Liong,
Okay, for that you need an IP in 192.168.40.32/30 on a local interface.
Kind regards
Noel
Am 10.06.20 um 07:38 schrieb Liong Kok Foo:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi Noel,
Awesome! Thanks for the guidance.
[root@uatvpngateway strongswan]# strongswan status
Security Associations (1 up, 0 connecting):
net-net[3]: ESTABLISHED 8 minutes ago, 10.15.66.10[192.168.40.34]...1.2.3.4[1.2.3.4]
net-net{3}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce157096_i ca47d3e2_o
net-net{3}: 192.168.40.32/30 === 192.168.118.0/24
The final thing I did was change leftsubnet=192.168.40.32/30.
Now I need to get the route working which is another problem to be solved.
Cheers!
On 10/6/2020 12:48 pm, Noel Kuntze wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi Liong,
I'm pretty sure you can solve this little puzzle by yourself. The values are already there.
Kind regards
Noel
Am 10.06.20 um 06:20 schrieb Liong Kok Foo:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi Noel,
The client side is not allowing connection from my side as it is not using the IP they want. I have removed the alias and changed the leftid=192.168.40.34
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] maximum IKE_SA lifetime 86298s
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] looking for a child config for 192.168.40.32/30 === 192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic selectors for us:
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] 10.15.66.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic selectors for other:
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] 192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] traffic selectors 192.168.40.32/30 === 192.168.118.0/24 unacceptable
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (144 bytes)
Any idea? Or is this not possible to be done?
*Liong Kok Foo*
Team Lead, IT Infra
REVENUE GROUP OF COMPANIES
Email : <a class="moz-txt-link-abbreviated" href="mailto:liong.kok.foo@revenue.com.my">liong.kok.foo@revenue.com.my</a> <a class="moz-txt-link-rfc2396E" href="mailto:liong.kok.foo@revenue.com.my"><mailto:liong.kok.foo@revenue.com.my></a>
TEL : +60 3-9212 0505 (ext 1004)
FAX : +60 3-6242 8785
ADD : Wisma Revenue Group, No. 12, Jalan Udang Harimau 2, Kepong Business Park, 51200. Kuala Lumpur
WEB : <a class="moz-txt-link-abbreviated" href="http://www.revenue.com.my">www.revenue.com.my</a> <a class="moz-txt-link-rfc2396E" href="http://www.revenue.com.my/"><http://www.revenue.com.my/></a> (<a class="moz-txt-link-freetext" href="http://www.revenue.com.my/">http://www.revenue.com.my/</a>)
WEB : <a class="moz-txt-link-abbreviated" href="http://www.revpay.com.my">www.revpay.com.my</a> <a class="moz-txt-link-rfc2396E" href="http://www.revpay.com.my/"><http://www.revpay.com.my/></a> (<a class="moz-txt-link-freetext" href="http://www.revpay.com.my/">http://www.revpay.com.my/</a>)
On 10/6/2020 11:31 am, Noel Kuntze wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hello Liong,
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">You see, the client have their VPN setup such that we MUST connect to them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we had to use Strongswan and NAT to do this.
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">Your host is behind NAT, so the other peer won't ever see it. Also, that IP address is probably not routed to you by the next hop router. That's why you don't get any response for packets sent from the IP address 192.168.40.34.
You need to set leftid to the address. That will probably do it.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">Yes, of course, because you sent left to 192.168.40.34, instead of the correct value of 10.15.66.10. Stop hitting yourself.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I created an alias eth0:0 192.168.40.34 for this server.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">That doesn't help you at all. Also, aliases are deprecated for > 20 years already. Aliases are a crutch for using ifconfig with several IP addresses per interface.
ifconfig and route are deprecated for more than 20 years already, too.
Kind regards
Noel
Am 10.06.20 um 05:12 schrieb Liong Kok Foo:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi Noel,
Thanks changed the rightid and it is going somewhere.
However, I am stuck in another error.
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of request with message ID 0
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet: from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an IKEv2 config for 10.15.66.10...1.2.3.4
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of request with message ID 0
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet: from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
You see, the client have their VPN setup such that we MUST connect to them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we had to use Strongswan and NAT to do this.
Because we are using a cloud server, our IP is eth0 10.15.66.10 and I created an alias eth0:0 192.168.40.34 for this server.
So now, I have changed the config a bit as below. Not sure what is the problem now. I have also enable debug-cfg 2.
conn net-net
# left=10.15.66.10
left=192.168.40.34
# leftsubnet=10.15.66.0/24
leftsubnet=192.168.40.32/30 (also tried 0.0.0.0/0)
leftid=@rh
leftfirewall=yes
right=1.2.3.4
rightsubnet=192.168.118.0/24
rightid=1.2.3.4
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256-modp2048!
auto=start
ike should be correct as per requested from client's side:
IKE Group Group 14
IKE Encryption AES-256
IKE Authentication SHA2-256
Thanks
On 9/6/2020 6:30 pm, Noel Kuntze wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi Liong,
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">rightid=1.2.3.4
Kind regards
Noel
Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi,
I am new to strongswan and have not had much experience setting up VPN connection.
I need to setup a new VPN connection to a client but just cannot seems to get it working.
Here are the information provided by client:
IKEv2 (Phase 1) Proposal
Available for ping (Yes/No) No
IKE Mode (Aggressive/Main) Main
IKE Authentication method Pre-shared key
IKE Pre-shared key xxxxxx
IKE Group Group 14
IKE Encryption AES-256
IKE Authentication SHA2-256
IKE Lifetime (seconds) 86400
Life Time (KB) 86400
IPsec (Phase 2) Proposal
IPsec Group Group 14
IPsec Protocol ESP
IPsec Encryption AES-256
IPsec Authentication SHA2-256
IPsec Lifetime (seconds) 3600
Life Time (KB) 28800
Enable Perfect Forward Secrecy Yes
PFS / DH-group Yes/Gp-14
Encapsulation Mode Tunnel
IP addresses carried in tunnel (Private IP address, IP range assigned by client) Crypto ACL
Source (Encryption Domain) 192.168.40.33/30(DR)
192.168.40.34/30(UAT)
Port Any
VPN DPD always enabled Enabled
To disable monitoring ICMP echo requests (or pings) à by right to determine if a VPN tunnel is up however for this case it’s dropping the VPN connections. Disabled
To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Disabled
NAT traversal (TCP4500) Disabled
Here is my configuration file:
IPsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
left=10.15.66.10
leftsubnet=10.15.66.0/24
leftid=@me
leftfirewall=yes
right=1.2.3.4 (client public IP changed)
rightsubnet=192.168.118.0/24
rightid=@client
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256-modp2048!
auto=start
ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file
@me @client : PSK "xxxxxx"
Here is a part of the message log:
Jun 9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
Jun 9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
Jun 9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
Jun 9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
Jun 9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
Jun 9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
Jun 9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
Jun 9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jun 9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
Would appreciate if anyone can help to provide guidance on getting this working.
Thanks
<a class="moz-txt-link-rfc2396E" href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon"><https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon></a> Virus-free. <a class="moz-txt-link-abbreviated" href="http://www.avast.com">www.avast.com</a> <a class="moz-txt-link-rfc2396E" href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link"><https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link></a>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
</body>
</html>