[strongSwan] The magical strongswan issue :( CLOUD -> Home and back

Miroslav Svoboda goodmirek at goodmirek.cz
Thu Apr 30 07:40:53 CEST 2015


Hello,

Please let me add one more idea - have you allowed IPv4 routing (packet 
forwarding) in kernel?
Enterprise Linux:
[centos at swan2 ~]$ cat /etc/sysctl.conf 
# Enable routing
net.ipv4.ip_forward=1
# Do not send ICMP redirects, needed when VPN node is not default gateway 
of the subnet, e.g. AWS VPC environment
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.eth0.accept_redirects=0

BR,
Miroslav

On Thursday, April 30, 2015 at 12:18:54 AM UTC+2, Noel Kuntze wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Florian,
>
> Check your iptables rules if forwarding is allowed.
> Also, do not use ifconfig or route. Use iproute2 (ip address, ip link, ip 
> route, ...).
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 29.04.2015 um 18:17 schrieb florian.rommel at datalounges.com:
> > Hi all... I have a somewhat peculiar problem.
> >
> > I have 2 ubuntu machines, one VM in the cloud (openstack) and one at home
> > (real machine)
> >
> > I have strongswan configured and running.. the tunnel gets established 
> and
> > shows all good to go as shown here:
> >
> > Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-49-generic,
> > x86_64):
> >   uptime: 18 minutes, since Apr 29 18:46:30 2015
> >   malloc: sbrk 2568192, mmap 0, used 357408, free 2210784
> >   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> > scheduled: 4
> >   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> > nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
> > xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
> > stroke updown eap-identity eap-mschapv2 addrblock
> > Listening IP addresses:
> >   X.X.X.243
> >   10.0.1.200
> > Connections:
> >           DL:  X.X.X.243...Y.Y.Y.23  IKEv1
> >           DL:   local:  [X.X.X.243] uses pre-shared key authentication
> >           DL:   remote: [10.1.0.15] uses pre-shared key authentication
> >           DL:   child:  10.0.1.0/24 === 10.1.0.0/24 TUNNEL
> > Routed Connections:
> >           DL{1}:  ROUTED, TUNNEL
> >           DL{1}:   10.0.1.0/24 === 10.1.0.0/24
> > Security Associations (1 up, 0 connecting):
> >           DL[2]: ESTABLISHED 4 minutes ago,
> > X.X.X.243[X.X.X.243]...Y.Y.Y.23[10.1.0.15]
> >           DL[2]: IKEv1 SPIs: d72df1afe7128b38_i e7b692b6c6ecc9d6_r*,
> > pre-shared key reauthentication in 7 hours
> >           DL[2]: IKE proposal: 
> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >           DL{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c29e6c6b_i 
> c7ad645a_o
> >           DL{1}:  3DES_CBC/HMAC_MD5_96, 7286 bytes_i (9 pkts, 260s ago),
> > 2696 bytes_o (9 pkts, 260s ago), rekeying in 50 minutes
> >           DL{1}:   10.0.1.0/24 === 10.1.0.0/24
> >
> > Now, the interesting part is that on the gateway on the RIGHT side
> > (10.1.0.15, I can ping ANY machine on the LEFT side (10.0.1.0/24) with 
> no
> > problem.
> > BUT from any machine on the LEFT SIDE  i cannot ping anything on the 
> RIGHT
> > SIDE and form any OTHER machine on the RIGHT side, besides the gateway, I
> > cannot ping the LEFT side.   This seems VERY VERY confusing.. and looks 
> to
> > be a multi part.. but.. I am stuck.
> >
> > TCPDUMP on the LEFT side with destination 10.1.0.18 on the right side:
> >  sudo tcpdump -v -i em1 -n dst net 10.1.0.0/24
> > tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 
> 65535
> > bytes
> > 19:09:45.556977 IP (tos 0x0, ttl 63, id 10792, offset 0, flags [none],
> > proto ICMP (1), length 84)
> >     X.X.X.243 > 10.1.0.18: ICMP echo request, id 13637, seq 0, length 64
> > 19:09:46.535900 IP (tos 0x0, ttl 63, id 61548, offset 0, flags [none],
> > proto ICMP (1), length 84)
> >     X.X.X.243 > 10.1.0.18: ICMP echo request, id 13637, seq 1, length 64
> > 19:09:47.536998 IP (tos 0x0, ttl 63, id 11984, offset 0, flags [none],
> > proto ICMP (1), length 84)
> >     X.X.X.243 > 10.1.0.18: ICMP echo request, id 13637, seq 2, length 64
> >
> > On the right side nothing ever shows up.
> >
> > There are IPTables rules on the LEFT side that NAT, since its also a
> > gateway but...should that matter? What else can I set and where?? Here is
> > the ipsec.conf file still from the LEFT side (same on the RIGHT just
> > reversed)
> >
> > config setup
> >
> > conn %default
> >     ikelifetime=8h
> >     keylife=1h
> >     rekeymargin=3m
> >     keyingtries=%forever
> >     keyexchange=ikev1
> >     authby=psk
> >     ike=3des-sha1-modp1024
> >     esp=3des-md5-modp1536
> >
> > conn DL
> >     auto=route
> >     left=X.X.X.243
> >     leftsubnet=10.0.1.0/24
> >     leftid=X.X.X.243
> >     leftfirewall=yes
> >     right=Y.Y.Y.23
> >     rightsubnet=10.1.0.0/24
> >     rightid=10.1.0.15
> >     keyexchange=ikev1
> >     ike=3des-sha1-modp1024
> >     esp=3des-md5-modp1536
> >
> > Routing table on the LEFT side:
> >
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use 
> Iface
> > default         noname.gateway 0.0.0.0         UG    0      0        0 
> em1
> > 10.0.1.0        *               255.255.255.0   U     0      0        0 
> em2
> > 10.1.0.0        10.0.1.200      255.255.255.0   UG    0      0        0 
> em2
> > X.X.X.0    *               255.255.248.0   U     0      0        0 em1
> >
> > ANY help would greatly appreciated.. if its something to do with 
> IPTABLES?
> > or routing??
> >
> > Thanks already..
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVQVjGAAoJEDg5KY9j7GZYivEP/21jIhIEODrshFzi4LoMlWMm
> ZUtwQ5OxqDwx4U/MQI8CNS3G7FxFrQ0jmkCo6esxXPecf1NfACoSloYvn1kcIoPu
> rNei0OYf39na1WuFzPwAzf1+Z1gJi3UxTOdRCDXwCxDRvoL+i/skTi66sz7dFLeh
> b+04mI7npn93vgfUkEh0yKp7HFCWyBgx61OLhNmg2RHsBj171Ly24mSelzhr0Vn3
> 5YbmJ09Fgo7LSL3BITBb/w9mfZwbTWiSJURNXgj5hkduJs7g1Y1zEiGW73xC1Enz
> OBPBw3qnligqpHWlBYgmCJeFpibFaO+4u77/4CVYB+SrhZORMGupaRpX5m9WgmsH
> Nawk48bXfFbhnZOh3n53GLaIUR4DiZdCSbyaKf+ksVmPXvm1iYJFbyalCaSk7NUe
> /mfwxcAI76dagaFRisx4qADE0afxskOZCvXIzcsKr7c2u3QhmLPCoODiuB9hUoFZ
> QN469c6qfszCqh6u1HsNEyApoxTuNcTkmht4KYb6DavQ4dgrD3P8ac4XEz/bMBrg
> VtGA+GbHXi++7mOGtjKhGw4nqEyoaj+5v3SwTmtv2EDqru+8u+km8i/KY/Wszr7d
> tXhFsqnQyqg3yPT7zIqqYPy83J9Pb+YJmNTFzG0l4E6CroEn5m9FOeQjPnCN4zeL
> COaBLt+VpsJ9656nbyoe
> =VD4I
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150429/a6090d65/attachment.html>


More information about the Users mailing list