[strongSwan] returning traffic from VPN issue

Kylián Martin kylianm at plzen.eu
Tue Nov 7 13:27:56 CET 2017


Hi everyone,
could you please help me with the following trouble?
I am tring to set up the ikev2 vpn access to our backup testing environment. Clients are mostly Windows 10.

Client connects sucessfully and i can see tcpdumped traffic coming from VPN client to the destination hosts (on the backend router). Trouble is the returning traffic.
Traffic reach the strongswan machine a from there it is not directed back to VPN client.

Here is my config:

Ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
        # strictcrlpolicy=yes
        charondebug="cfg 2"
        uniqueids = no


include /var/lib/strongswan/ipsec.conf.inc

conn %default
        # More advanced ciphers. Uncomment if you need it.
        # Default ciphers will works on most platforms.
        # ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
        # esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-$

    dpdaction=clear
    dpddelay=35s
    dpdtimeout=2000s

    keyexchange=ikev2
    auto=add
    rekey=no
    reauth=no
    fragmentation=yes
    #compress=yes

        leftfirewall=yes
        leftcert=restorevpn.sitmp.cz.crt # Filename of certificate located at /etc/ipsec.d/certs/
        leftsendcert=always
        left=%any
        leftsubnet=10.168.0.0/16,10.31.0.0/16,10.27.250.0/24,10.0.0.0/24

        eap_identity=%identity
        rightsourceip=192.168.255.0/24
        # rightdns=192.168.4.20, 192.168.4.19

# Windows and BlackBerry clients usually goes here
conn ikev2-mschapv2
    rightauth=eap-mschapv2

# Apple clients usually goes here
conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=restorevpn.sitmp.cz

ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-4-amd64, x86_64):
  uptime: 17 minutes, since Nov 07 12:54:20 2017
  malloc: sbrk 1622016, mmap 0, used 569712, free 1052304
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
  192.168.255.0/24: 254/1/0
Listening IP addresses:
  192.168.232.52
  10.0.0.9
Connections:
ikev2-mschapv2:  %any...%any  IKEv2, dpddelay=35s
ikev2-mschapv2:   local:  [C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz] uses public key authentication
ikev2-mschapv2:    cert:  "C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz"
ikev2-mschapv2:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-mschapv2:   child:  10.168.0.0/16 10.31.0.0/16 10.27.250.0/24 10.0.0.0/24 === dynamic TUNNEL, dpdaction=clear
ikev2-mschapv2-apple:  %any...%any  IKEv2, dpddelay=35s
ikev2-mschapv2-apple:   local:  [restorevpn.sitmp.cz] uses public key authentication
ikev2-mschapv2-apple:    cert:  "C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz"
ikev2-mschapv2-apple:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-mschapv2-apple:   child:  10.168.0.0/16 10.31.0.0/16 10.27.250.0/24 10.0.0.0/24 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-mschapv2[1]: ESTABLISHED 46 seconds ago, 192.168.232.52[C=CZ, ST=CZ, L=Plzen, O=SITmP, OU=UI, CN=restorevpn.sitmp.cz]...192.168.230.113[192.168.230.113]
ikev2-mschapv2[1]: Remote EAP identity: restore
ikev2-mschapv2[1]: IKEv2 SPIs: fde8e302521f4bc2_i 30fbd7b751e7e593_r*, rekeying disabled
ikev2-mschapv2[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ikev2-mschapv2{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cec4490e_i a3b87770_o
ikev2-mschapv2{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
ikev2-mschapv2{1}:   10.0.0.0/24 10.27.250.0/24 10.31.0.0/16 10.168.0.0/16 === 192.168.255.1/32

ip r
default via 192.168.232.1 dev eth0 onlink
10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.9
10.27.250.0/24 via 10.0.0.10 dev eth1
10.31.0.0/16 via 10.0.0.10 dev eth1
10.168.0.0/16 via 10.0.0.10 dev eth1
192.168.232.0/24 dev eth0 proto kernel scope link src 192.168.232.52

ip r list table 220
192.168.255.1 via 192.168.232.1 dev eth0 proto static src 10.0.0.9

ip -s xfrm policy
src 192.168.255.1/32 dst 10.168.0.0/16 uid 0
        dir fwd action allow index 154 priority 187712 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.168.0.0/16 uid 0
        dir in action allow index 144 priority 187712 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.168.0.0/16 dst 192.168.255.1/32 uid 0
        dir out action allow index 137 priority 187712 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.232.52 dst 192.168.230.113
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.31.0.0/16 uid 0
        dir fwd action allow index 130 priority 187712 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.31.0.0/16 uid 0
        dir in action allow index 120 priority 187712 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.31.0.0/16 dst 192.168.255.1/32 uid 0
        dir out action allow index 113 priority 187712 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.232.52 dst 192.168.230.113
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.27.250.0/24 uid 0
        dir fwd action allow index 106 priority 185664 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.27.250.0/24 uid 0
        dir in action allow index 96 priority 185664 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.27.250.0/24 dst 192.168.255.1/32 uid 0
        dir out action allow index 89 priority 185664 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.232.52 dst 192.168.230.113
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.0.0.0/24 uid 0
        dir fwd action allow index 82 priority 185664 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.255.1/32 dst 10.0.0.0/24 uid 0
        dir in action allow index 72 priority 185664 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.230.113 dst 192.168.232.52
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/24 dst 192.168.255.1/32 uid 0
        dir out action allow index 65 priority 185664 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 13:11:22 use -
        tmpl src 192.168.232.52 dst 192.168.230.113
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket in action allow index 59 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use 2017-11-07 13:15:27
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket out action allow index 52 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use 2017-11-07 13:15:27
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket in action allow index 43 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use 2017-11-07 13:11:22
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket out action allow index 36 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use 2017-11-07 13:11:22
src ::/0 dst ::/0 uid 0
        socket in action allow index 27 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use -
src ::/0 dst ::/0 uid 0
        socket out action allow index 20 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use -
src ::/0 dst ::/0 uid 0
        socket in action allow index 11 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use -
src ::/0 dst ::/0 uid 0
        socket out action allow index 4 priority 0 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-11-07 12:54:21 use -

Split tunneling is configured on client by powershell "Add-VpnConnectionRoute  profilename prefix". Client has the route and as i say above - trafice reaches the destination and return traffic reaches the vpn server.

Am I missing anything? Should here be any NAT?

I am totally desperate. 
Thank you


Ing. Martin Kylián
specialista pro správu sítě a bezpečnost

E kylianm at plzen.eu
T +420 378 035 108
M +420 777 247 298
W www.sitmp.cz

Správa informačních technologií města Plzně
Dominikánská 4, 301 00  Plzeň





More information about the Users mailing list