[strongSwan] Site To Site works only in one direction

Tim Soderstrom strongswan at moocowproductions.org
Wed Jan 6 22:37:29 CET 2016 

Solved. Issue was related to ip filtering happening above our test VM 
unbeknownst to us. Once that was lifted, requests worked from both sides.

On 01/05/2016 11:20 PM, Tim Soderstrom wrote:
> I have a new site to site setup where I can access things from one 
> side of the tunnel, but not the other. I think the issue is because 
> one of the servers is behind a NAT and the other isn't, but StrongSwan 
> appears to be detecting that situation and using UDP. In doing 
> tcpdumps, I can see traffic (e.g. ICMP pings) hit the VPN server on 
> the non-working side, and it even looks like it tries to send it on 
> its way, but I never get responses from the server initiating the pings.
>
> I've tried a ton of different things. The odd part is I have another 
> site to site using the same config that works without an issue with 
> the only change being that site-to-site has VPN servers which have 
> directly attached public IPs (no NATing). Given that the NAT issue is 
> the only different I can find, I suspect that has something to do with 
> it. But the data I get from tcpdumps and iptables packet logging 
> doesn't really indicate that is what is going on (as far as I'm able 
> to tell).
>
> In my case, my 172.21 side can connect to my 172.18 side, but not the 
> other way around.
>
> Here's a sample:
>
> tcpdump (on the VPN server):
> 05:10:29.424285 IP 172.18.0.141 > 172.21.0.171: ICMP echo request, id 
> 11595, seq 1, length 64
> 05:10:29.462392 IP 172.21.0.171 > 172.18.0.141: ICMP echo reply, id 
> 11595, seq 1, length 64
>
> iptables logs:
> Jan  6 05:11:09 vpn kernel: FORWARD ICMP: IN=eth1 OUT=eth0 
> MAC=fa:16:3e:02:47:d8:fa:16:3e:fd:a6:f2:08:00 SRC=172.18.0.141 
> DST=172.21.0.171 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=56433 DF 
> PROTO=ICMP TYPE=8 CODE=0 ID=11636 SEQ=1
> Jan  6 05:11:09 vpn kernel: POSTROUTING ICMP: IN= OUT=eth0 
> SRC=172.18.0.141 DST=172.21.0.171 LEN=84 TOS=0x00 PREC=0x00 TTL=63 
> ID=56433 DF PROTO=ICMP TYPE=8 CODE=0 ID=11636 SEQ=1
> Jan  6 05:11:09 vpn kernel: FORWARD ICMP: IN=eth0 OUT=eth1 
> MAC=fa:16:3e:99:7d:68:fa:16:3e:bf:18:16:08:00 SRC=172.21.0.171 
> DST=172.18.0.141 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=27258 PROTO=ICMP 
> TYPE=0 CODE=0 ID=11636 SEQ=1
>
> The above was from a ping on a server on the 172.18 side to a server 
> on the 172.21 side. On the host it never gets a reply, but I can see 
> the ICMP packets go to each host back and forth. It looks like the VPN 
> server on the 172.18 isn't properly forwarding it.
>
> I have routes setup on servers on both sides as follows:
> On 172.21 side:
> route add -net 172.18.0.0/16 gw 172.21.0.127
> On 172.18 side:
> route add -net 172.21.0.0/16 gw 172.18.0.144
>
> The iptables on both sides look like:
>
> 172.21 side:
> iptables -t nat -A POSTROUTING -o eth2 -m policy --pol none --dir out 
> -j SNAT --to-source 172.21.0.127
>
> 172.18 side:
> iptables -t nat -A POSTROUTING -o eth1 -m policy --pol none --dir out 
> -j SNAT --to-source 172.18.0.144
>
> Here are the ipsec.conf's:
>
> 172.21 side:
> version 2
>
> conn %default
>     ikelifetime=60m
>     lifetime=12h
>     leftfirewall=yes
>     left=%any
>     leftid=<REDACTED>
>     leftcert=<REDACTED>
>     leftsubnet=0.0.0.0/0
>     leftdns=172.21.0.2
>     dpdaction=hold
>
> conn Site-To-Site-x509
>     keyexchange=ikev2
>     leftid=<REDACTED>
>     right=<REDACTED, Public Address of Server Behind NAT>
>     rightid=<REDACTED>
>     rightsubnet=172.18.0.0/16
>     auto=start
>     dpdaction=restart
>     closeaction=restart
>     keyingtries=%forever
>     reauth=no
>     forceencaps=yes
>
> 171.18 side:
> version 2
>
> conn %default
>     ikelifetime=60m
>     lifetime=12h
>     leftfirewall=yes
>     left=%any
>     leftid=<REDACTED>
>     leftcert=<REDACTED>
>     leftsubnet=172.18.0.0/16
>     leftdns=172.18.0.144
>     dpdaction=hold
>
> conn Site-To-Site-x509
>     keyexchange=ikev2
>     leftid=<REDACTED>
>     right=<public IP of server with a direct public IP attached to it>
>     rightid=<REDACTED>
>     rightsubnet=<REDACTED>
>     auto=start
>     dpdaction=restart
>     closeaction=restart
>     keyingtries=%forever
>     reauth=no
>
>
>
> Welcome to any thoughts folks might have!
>
>
>
>

More information about the Users mailing list