[strongSwan] returning traffic from VPN issue
Kylián Martin
kylianm at plzen.eu
Tue Nov 7 13:27:56 CET 2017
Hi everyone,
could you please help me with the following trouble?
I am tring to set up the ikev2 vpn access to our backup testing environment. Clients are mostly Windows 10.
Client connects sucessfully and i can see tcpdumped traffic coming from VPN client to the destination hosts (on the backend router). Trouble is the returning traffic.
Traffic reach the strongswan machine a from there it is not directed back to VPN client.
Here is my config:
Ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
charondebug="cfg 2"
uniqueids = no
include /var/lib/strongswan/ipsec.conf.inc
conn %default
# More advanced ciphers. Uncomment if you need it.
# Default ciphers will works on most platforms.
# ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
# esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-$
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
auto=add
rekey=no
reauth=no
fragmentation=yes
#compress=yes
leftfirewall=yes
leftcert=restorevpn.sitmp.cz.crt # Filename of certificate located at /etc/ipsec.d/certs/
leftsendcert=always
left=%any
leftsubnet=10.168.0.0/16,10.31.0.0/16,10.27.250.0/24,10.0.0.0/24
eap_identity=%identity
rightsourceip=192.168.255.0/24
# rightdns=192.168.4.20, 192.168.4.19
# Windows and BlackBerry clients usually goes here
conn ikev2-mschapv2
rightauth=eap-mschapv2
# Apple clients usually goes here
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
leftid=restorevpn.sitmp.cz
ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-4-amd64, x86_64):
uptime: 17 minutes, since Nov 07 12:54:20 2017
malloc: sbrk 1622016, mmap 0, used 569712, free 1052304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
192.168.255.0/24: 254/1/0
Listening IP addresses:
192.168.232.52
10.0.0.9
Connections:
ikev2-mschapv2: %any...%any IKEv2, dpddelay=35s
ikev2-mschapv2: local: [C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz] uses public key authentication
ikev2-mschapv2: cert: "C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz"
ikev2-mschapv2: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-mschapv2: child: 10.168.0.0/16 10.31.0.0/16 10.27.250.0/24 10.0.0.0/24 === dynamic TUNNEL, dpdaction=clear
ikev2-mschapv2-apple: %any...%any IKEv2, dpddelay=35s
ikev2-mschapv2-apple: local: [restorevpn.sitmp.cz] uses public key authentication
ikev2-mschapv2-apple: cert: "C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz"
ikev2-mschapv2-apple: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-mschapv2-apple: child: 10.168.0.0/16 10.31.0.0/16 10.27.250.0/24 10.0.0.0/24 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-mschapv2[1]: ESTABLISHED 46 seconds ago, 192.168.232.52[C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz]...192.168.230.113[192.168.230.113]
ikev2-mschapv2[1]: Remote EAP identity: restore
ikev2-mschapv2[1]: IKEv2 SPIs: fde8e302521f4bc2_i 30fbd7b751e7e593_r*, rekeying disabled
ikev2-mschapv2[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ikev2-mschapv2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cec4490e_i a3b87770_o
ikev2-mschapv2{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
ikev2-mschapv2{1}: 10.0.0.0/24 10.27.250.0/24 10.31.0.0/16 10.168.0.0/16 === 192.168.255.1/32
ip r
default via 192.168.232.1 dev eth0 onlink
10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.9
10.27.250.0/24 via 10.0.0.10 dev eth1
10.31.0.0/16 via 10.0.0.10 dev eth1
10.168.0.0/16 via 10.0.0.10 dev eth1
192.168.232.0/24 dev eth0 proto kernel scope link src 192.168.232.52
ip r list table 220
192.168.255.1 via 192.168.232.1 dev eth0 proto static src 10.0.0.9
ip -s xfrm policy
src 192.168.255.1/32 dst 10.168.0.0/16 uid 0
dir fwd action allow index 154 priority 187712 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.168.0.0/16 uid 0
dir in action allow index 144 priority 187712 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.168.0.0/16 dst 192.168.255.1/32 uid 0
dir out action allow index 137 priority 187712 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.232.52 dst 192.168.230.113
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.31.0.0/16 uid 0
dir fwd action allow index 130 priority 187712 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.31.0.0/16 uid 0
dir in action allow index 120 priority 187712 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.31.0.0/16 dst 192.168.255.1/32 uid 0
dir out action allow index 113 priority 187712 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.232.52 dst 192.168.230.113
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.27.250.0/24 uid 0
dir fwd action allow index 106 priority 185664 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.27.250.0/24 uid 0
dir in action allow index 96 priority 185664 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.27.250.0/24 dst 192.168.255.1/32 uid 0
dir out action allow index 89 priority 185664 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.232.52 dst 192.168.230.113
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.0.0.0/24 uid 0
dir fwd action allow index 82 priority 185664 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.0.0.0/24 uid 0
dir in action allow index 72 priority 185664 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.230.113 dst 192.168.232.52
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/24 dst 192.168.255.1/32 uid 0
dir out action allow index 65 priority 185664 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 13:11:22 use -
tmpl src 192.168.232.52 dst 192.168.230.113
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 59 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use 2017-11-07 13:15:27
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 52 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use 2017-11-07 13:15:27
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 43 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use 2017-11-07 13:11:22
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 36 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use 2017-11-07 13:11:22
src ::/0 dst ::/0 uid 0
socket in action allow index 27 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 20 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 11 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 4 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-07 12:54:21 use -
Split tunneling is configured on client by powershell "Add-VpnConnectionRoute profilename prefix". Client has the route and as i say above - trafice reaches the destination and return traffic reaches the vpn server.
Am I missing anything? Should here be any NAT?
I am totally desperate.
Thank you
Ing. Martin Kylián
specialista pro správu sítě a bezpečnost
E kylianm at plzen.eu
T +420 378 035 108
M +420 777 247 298
W www.sitmp.cz
Správa informačních technologií města Plzně
Dominikánská 4, 301 00 Plzeň
More information about the Users
mailing list