Hi,
I am trying to set up a site-to-site VPN. Endpoint 1 is the strongswan
server that I am trying to set up to connect to endpoint 2 with
site-to-site vpn. Endpoint 1 IP is 10.0.2.227 here and endpoint 2 is
10.0.2.210. I am currently able to connect endpoint 1 to the Endpoint 2
over site-to-site VPN successfully, however traffic does not appear to be
getting forwarded. Here is my connection in ipsec.conf for endpoint 1:
conn net-net
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
left=10.0.2.227
leftcert=server.crt.pem
leftid=%any
leftsubnet=10.0.2.128/25
leftfirewall=yes
right=10.0.2.210
rightid=%any
leftauth=rsa
rightauth=rsa
rightsubnet=192.168.1.0/24
rekey=no
reauth=no
dpddelay=10
dpdtimeout=30
dpdaction=clear
auto=add
When I connect I get the following output:
initiating IKE_SA net-net[4] to 10.0.2.210
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.2.227[500] to 10.0.2.210[500] (708 bytes)
received packet: from 10.0.2.210[500] to 10.0.2.227[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA net-net[4] to 10.0.2.210
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.2.227[500] to 10.0.2.210[500] (580 bytes)
received packet: from 10.0.2.210[500] to 10.0.2.227[500] (377 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
CERTREQ ]
received cert request for "C=US, ST=California, L=AnyTown, O=mycompany,
OU=NET, CN=mycompany"
received 1 cert requests for an unknown ca
sending cert request for "C=US, ST=California, L=AnyTown, O=mycompany,
OU=NET, CN=mycompany"
authentication of 'CN=sts-endpoint-1.mycompany.com, O=mycompany' (myself)
with RSA signature successful
sending end entity cert "CN=sts-endpoint-1.mycompany.com, O=mycompany"
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr
N(EAP_ONLY) ]
sending packet: from 10.0.2.227[500] to 10.0.2.210[500] (1204 bytes)
received packet: from 10.0.2.210[500] to 10.0.2.227[500] (1340 bytes)
parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(SET_WINSIZE)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
received end entity cert "CN=sts-endpoint-2.mycompany.com, O=mycompany"
using certificate "CN=sts-endpoint-2.mycompany.com, O=mycompany"
using trusted ca certificate "C=US, ST=California, L=AnyTown,
O=mycompany, OU=NET, CN=mycompany"
checking certificate status of "CN=sts-endpoint-2.mycompany.com,
O=mycompany"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'CN=sts-endpoint-2.mycompany.com, O=mycompany' with RSA
signature successful
IKE_SA net-net[4] established between 10.0.2.227[CN=
sts-endpoint-1.mycompany.com, O=mycompany]...10.0.2.210[CN=
sts-endpoint-2.mycompany.com, O=mycompany]
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
CHILD_SA net-net{4} established with SPIs ce060f84_i 67e92e0f_o and TS
10.0.2.128/25 === 192.168.1.0/24
connection 'net-net' established successfully
Here is my ip xfrm policy output:
src 192.168.1.0/24 dst 10.0.2.128/25
dir fwd priority 2879 ptype main
tmpl src 10.0.2.210 dst 10.0.2.227
proto esp reqid 4 mode tunnel
src 192.168.1.0/24 dst 10.0.2.128/25
dir in priority 2879 ptype main
tmpl src 10.0.2.210 dst 10.0.2.227
proto esp reqid 4 mode tunnel
src 10.0.2.128/25 dst 192.168.1.0/24
dir out priority 2879 ptype main
tmpl src 10.0.2.227 dst 10.0.2.210
proto esp reqid 4 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
Basically I am trying to access an internal webserver from endpoint 1 (with
IP 192.168.1.100) that is on endpoint 2's network. If I try to access (i.e.
ping or wget) this server from endpoint 1, then it times out. Likewise, if
I try to ping endpoint 1 machine from the internal webserver, it also times
out. The really weird thing is that when I take pcaps of the traffic, it
looks like the traffic is being routed, but for some reason it isn't being
passed back to the application. For example, if I do a ping to
192.168.1.100 from endpoint 1, I am able to see the ping response in the
tcp dump (though not the request), but the actual ping command doesn't get
any data back. This makes me think that a firewall rule is dropping the
packets or something. Same behavior when pinging/pcaping on 192.168.1.100
to endpoint 1, with the exception that I am able to see the requests as
well as the responses on that machine. Can someone help to point me in the
right direction? I tried an iptables -F on the endpoint 1 but that didn't
change anything.
Thanks,
-Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141030/31fd8b9a/attachment.html>