<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<p>I am having difficulty getting connected to a Meraki MX100 at a client site. I do not have administrative control over the Meraki so specifics about how it is configured I cannot address, although I can answer some questions. My machine is a CentOS 8.5 machine running strongswan 5.9.4-2 installed off the epel repo.</p>
<p>My local subnet at home is 192.168.0.0/17 and I use iptables to MASQ outbound traffic from my home network over my cable internet connection. The remote network is 192.168.227.0/24. We are using IKEv1 with a pre-shared key AES256, SHA1, DH2.</p>
<p>My symptom is I seem to connect but none of my traffic appears to get routed. My firewall is configured to allow traffic to pass. I have a logging rule in the chain which will log to syslog any rejected traffic, and I'm not seeing anything. ifconfig shows packets going out over the ipsec0 interface, so it appears when I try to ping, the traffic is not rejected but is transmitted.</p>
<p>I'm a bit out of my depth here. I've worked with PPTP and OpenVPN before, but Strongswan is a bit convoluted. </p>
<p>Any suggestions on where to look next would be appreciated. I'm out of ideas here. My only other alternative is to use a Cisco AnyConnect client from a Windows (which I absolutely despise) box. I prefer to get this CentOS box up to give me greater flexability.</p>
<p>Thank you,</p>
<p>Vinny</p>
<p><br></p>
<p>My ipsec.conf file:</p>
<p class="default-style">config setup</p>
<p class="default-style">conn %default<br> ikelifetime=28800s<br> rekeymargin=3600s <br> keyingtries=%forever<br> keyexchange=ikev1<br> aggressive=no<br> authby=psk<br> dpdaction=restart<br> dpddelay=30<br> ike=aes256-sha1-modp1024<br> esp=aes256-sha1</p>
<p class="default-style"><br></p>
<p class="default-style">My swanctl.conf file:</p>
<p class="default-style">connections {<br>linktowork {<br> remote_addrs=W.X.Y.Z<br> local_addrs=%defaultroute<br> children {<br> remotesite {<br> start_action=trap<br> local_ts=192.168.0.0/17<br> remote_ts=192.168.227.0/24<br> esp_proposals = aes256-sha1<br> }<br> }<br> version = 1<br> proposals = aes256-sha1-modp1024<br> local-0 {<br> auth = psk<br> id = A.B.C.D<br> }<br> remote-0 {<br> auth = psk<br> id = %any<br> }<br> }<br>}<br>secrets {<br> ike-%any%any {<br> secret = "SanitizedForYourProtection"<br> id-0=%any<br> id-1=%any<br> }<br> ike-A-B-C-DW-X-Y-Z {<br> secret = "SanitizedForYourProtection"<br> id-0=A.B.C.D<br> id-1=W.X.Y.Z<br> }<br>}</p>
<p class="default-style"><br></p>
<p class="default-style">[root@MyRouter strongswan]# strongswan start<br>Starting strongSwan 5.9.4 IPsec [starter]...</p>
<p class="default-style">[root@MyRouter strongswan]# swanctl --load-conns<br>loaded connection 'linktowork'<br>successfully loaded 1 connections, 0 unloaded<br></p>
<p class="default-style">[root@MyRouter strongswan]# strongswan up linktowork<br>initiating Main Mode IKE_SA linktowork[18] to W.X.Y.Z<br>generating ID_PROT request 0 [ SA V V V V V ]<br>sending packet: from 0.0.0.0[500] to W.X.Y.Z[500] (180 bytes)<br>received packet: from W.X.Y.Z[500] to A.B.C.D[500] (160 bytes)<br>parsed ID_PROT response 0 [ SA V V V V ]<br>received XAuth vendor ID<br>received DPD vendor ID<br>received FRAGMENTATION vendor ID<br>received NAT-T (RFC 3947) vendor ID<br>selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]<br>sending packet: from A.B.C.D[500] to W.X.Y.Z[500] (244 bytes)<br>received packet: from W.X.Y.Z[500] to A.B.C.D[500] (244 bytes)<br>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]<br>faking NAT situation to enforce UDP encapsulation<br>generating ID_PROT request 0 [ ID HASH ]<br>sending packet: from A.B.C.D[4500] to W.X.Y.Z[4500] (76 bytes)<br>received packet: from W.X.Y.Z[4500] to A.B.C.D[4500] (76 bytes)<br>parsed ID_PROT response 0 [ ID HASH ]<br>IKE_SA linktowork[18] established between A.B.C.D[A.B.C.D]...W.X.Y.Z[W.X.Y.Z]<br>scheduling rekeying in 13395s<br>maximum IKE_SA lifetime 14835s<br>generating QUICK_MODE request 3163481014 [ HASH SA No ID ID ]<br>sending packet: from A.B.C.D[4500] to W.X.Y.Z[4500] (188 bytes)<br>received packet: from W.X.Y.Z[4500] to A.B.C.D[4500] (188 bytes)<br>parsed QUICK_MODE response 3163481014 [ HASH SA No ID ID ]<br>selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ<br>CHILD_SA linktowork{2} established with SPIs 12e384e3_i c502865c_o and TS 192.168.0.0/17 === 192.168.227.0/24<br>connection 'linktowork' established successfully<br></p>
<p class="default-style"><br>[root@MyRouter strongswan]# strongswan status<br>Routed Connections:<br> linktowork{1}: ROUTED, TUNNEL, reqid 1<br> linktowork{1}: 192.168.0.0/17 === 192.168.227.0/24<br>Security Associations (1 up, 0 connecting):<br> linktowork[18]: ESTABLISHED 2 minutes ago, A.B.C.D[A.B.C.D]...W.X.Y.Z[W.X.Y.Z]<br> linktowork{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 12e384e3_i c502865c_o<br> linktowork{2}: 192.168.0.0/17 === 192.168.227.0/24</p>
<p class="default-style"><br></p>
<p class="default-style">[root@MyRouter strongswan]# ip route show table 220<br>192.168.227.0/24 dev ipsec0 proto static src 192.168.127.254</p>
<p class="default-style">[root@MyRouter strongswan]# ping 192.168.227.27<br>PING 192.168.227.27 (192.168.227.27) 56(84) bytes of data.<br>^C<br>--- 192.168.227.27 ping statistics ---<br>5 packets transmitted, 0 received, 100% packet loss, time 4071ms</p>
<p class="default-style">[root@MyRouter strongswan]# ifconfig ipsec0<br>ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400<br> inet6 fe80::ad6a:4199:5123:6d81 prefixlen 64 scopeid 0x20<link><br> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)<br> RX packets 0 bytes 0 (0.0 B)<br> RX errors 0 dropped 0 overruns 0 frame 0<br> TX packets 15 bytes 1228 (1.1 KiB)<br> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</p>
<p class="default-style"><br></p>
</body>
</html>