[strongSwan] Site To Site works only in one direction
Tim Soderstrom
strongswan at moocowproductions.org
Wed Jan 6 06:20:07 CET 2016
I have a new site to site setup where I can access things from one side
of the tunnel, but not the other. I think the issue is because one of
the servers is behind a NAT and the other isn't, but StrongSwan appears
to be detecting that situation and using UDP. In doing tcpdumps, I can
see traffic (e.g. ICMP pings) hit the VPN server on the non-working
side, and it even looks like it tries to send it on its way, but I never
get responses from the server initiating the pings.
I've tried a ton of different things. The odd part is I have another
site to site using the same config that works without an issue with the
only change being that site-to-site has VPN servers which have directly
attached public IPs (no NATing). Given that the NAT issue is the only
different I can find, I suspect that has something to do with it. But
the data I get from tcpdumps and iptables packet logging doesn't really
indicate that is what is going on (as far as I'm able to tell).
In my case, my 172.21 side can connect to my 172.18 side, but not the
other way around.
Here's a sample:
tcpdump (on the VPN server):
05:10:29.424285 IP 172.18.0.141 > 172.21.0.171: ICMP echo request, id
11595, seq 1, length 64
05:10:29.462392 IP 172.21.0.171 > 172.18.0.141: ICMP echo reply, id
11595, seq 1, length 64
iptables logs:
Jan 6 05:11:09 vpn kernel: FORWARD ICMP: IN=eth1 OUT=eth0
MAC=fa:16:3e:02:47:d8:fa:16:3e:fd:a6:f2:08:00 SRC=172.18.0.141
DST=172.21.0.171 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56433 DF PROTO=ICMP
TYPE=8 CODE=0 ID=11636 SEQ=1
Jan 6 05:11:09 vpn kernel: POSTROUTING ICMP: IN= OUT=eth0
SRC=172.18.0.141 DST=172.21.0.171 LEN=84 TOS=0x00 PREC=0x00 TTL=63
ID=56433 DF PROTO=ICMP TYPE=8 CODE=0 ID=11636 SEQ=1
Jan 6 05:11:09 vpn kernel: FORWARD ICMP: IN=eth0 OUT=eth1
MAC=fa:16:3e:99:7d:68:fa:16:3e:bf:18:16:08:00 SRC=172.21.0.171
DST=172.18.0.141 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=27258 PROTO=ICMP
TYPE=0 CODE=0 ID=11636 SEQ=1
The above was from a ping on a server on the 172.18 side to a server on
the 172.21 side. On the host it never gets a reply, but I can see the
ICMP packets go to each host back and forth. It looks like the VPN
server on the 172.18 isn't properly forwarding it.
I have routes setup on servers on both sides as follows:
On 172.21 side:
route add -net 172.18.0.0/16 gw 172.21.0.127
On 172.18 side:
route add -net 172.21.0.0/16 gw 172.18.0.144
The iptables on both sides look like:
172.21 side:
iptables -t nat -A POSTROUTING -o eth2 -m policy --pol none --dir out -j
SNAT --to-source 172.21.0.127
172.18 side:
iptables -t nat -A POSTROUTING -o eth1 -m policy --pol none --dir out -j
SNAT --to-source 172.18.0.144
Here are the ipsec.conf's:
172.21 side:
version 2
conn %default
ikelifetime=60m
lifetime=12h
leftfirewall=yes
left=%any
leftid=<REDACTED>
leftcert=<REDACTED>
leftsubnet=0.0.0.0/0
leftdns=172.21.0.2
dpdaction=hold
conn Site-To-Site-x509
keyexchange=ikev2
leftid=<REDACTED>
right=<REDACTED, Public Address of Server Behind NAT>
rightid=<REDACTED>
rightsubnet=172.18.0.0/16
auto=start
dpdaction=restart
closeaction=restart
keyingtries=%forever
reauth=no
forceencaps=yes
171.18 side:
version 2
conn %default
ikelifetime=60m
lifetime=12h
leftfirewall=yes
left=%any
leftid=<REDACTED>
leftcert=<REDACTED>
leftsubnet=172.18.0.0/16
leftdns=172.18.0.144
dpdaction=hold
conn TeamSnap-OSI-Site-To-Site-x509
keyexchange=ikev2
leftid=<REDACTED>
right=<public IP of server with a direct public IP attached to it>
rightid=<REDACTED>
rightsubnet=<REDACTED>
auto=start
dpdaction=restart
closeaction=restart
keyingtries=%forever
reauth=no
Welcome to any thoughts folks might have!
More information about the Users
mailing list