[strongSwan] IPSec Tunnel Up, No Traffic Passed to End Destination

Cruz Tovar ctovar at redskytech.com
Fri Jan 5 19:09:37 CET 2018


Below is a network diagram of StrongSwan box configured in Amazon Web Services with tunnel to a Cisco ASA.



The tunnel between the StrongSwan box and the Cisco device are working properly, phase 1 and phase 2 have completed.



The issue is that the traffic destined to the StrongSwan box should then be passed to the 'Test Server' box (172.31.12.176)



I am able to see the ICMP packets sent from the 192.168.20.0/24 network hit the StrongSwan box, but this traffic is not passed along to the Test Server.



I have enabled forward client traffic and included forward rules for traffic sourced from the 192.168.20.0/24 subnet to be forwarded to 172.31.12.176.



Does someone have any insight into what I may have configured incorrectly?



|TEST SERVER (172.31.12.176)| ========== Eth1 172.31.12.187 -- |STRONGSWAN SERVER| -- Eth0 172.31.10.126 (EIP x.x.x.209) ========== Outside Interface x.x.x.143 -- |CISCO ASA| -- 192.168.20.0/24 Subnet to other hots



StrongSwan Server has two Interfaces: Eth0 and Eth1.

     Eth0 has an EIP associated to it (x.x.x.209)

     Eth1 has an IP of 172.31.12.187 that I believe should pass traffic to the Test Server



Test Server has an IP address of 172.31.12.176



Cisco ASA has an outside interface of x.x.x.143 and communicates to the subnet 192.168.20.0/24.





CONFIGS & OUTPUT IP/ROUTE DETAILS

# ipsec.conf - strongSwan IPsec configuration file



# basic configuration



config setup

        # strictcrlpolicy=yes

        # uniqueids = no

        charondebug="ike 2, knl 2, cfg 2, dmn 2, esp 2, net 2, chd 2"



conn RedSkyPIX-CHI

        type = tunnel

        authby = psk

        auto = start

        keyexchange = ikev1

        ike = aes128-sha1-modp1024

        esp = aes128-sha1

        ikelifetime = 28800s

        keylife = 3600s

        aggressive = no

        left = 172.31.10.126

        leftsubnet = 172.31.12.0/24

        leftid = x.x.x.209

        leftfirewall = yes

        right = x.x.x.143

        rightsubnet= 192.168.20.0/24

        rightid = x.x.x.143

        rightfirewall = yes







# The following are enabled

sysctl net.ipv4.ip_forward=1

sysctl net.ipv6.conf.all.forwarding=1





# ip route show

172.31.12.0/24 dev eth1  proto kernel  scope link  src 172.31.12.187

172.31.10.0/24 dev eth0  proto kernel  scope link  src 172.31.10.126

169.254.0.0/16 dev eth0  scope link  metric 1002

169.254.0.0/16 dev eth1  scope link  metric 1003

default via 172.31.10.1 dev eth0







# ip -s xfrm state

src 172.31.10.126 dst x.x.x.143

        proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel

        replay-window 32 seq 0x00000000 flag 20 (0x00100000)

        auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)

        enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        lifetime config:

          limit: soft (INF)(bytes), hard (INF)(bytes)

          limit: soft (INF)(packets), hard (INF)(packets)

          expire add: soft 3055(sec), hard 3600(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:14 use -

        stats:

          replay-window 0 replay 0 failed 0

src x.x.x.143 dst 172.31.10.126

        proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel

        replay-window 32 seq 0x00000000 flag 20 (0x00100000)

        auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)

        enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        lifetime config:

          limit: soft (INF)(bytes), hard (INF)(bytes)

          limit: soft (INF)(packets), hard (INF)(packets)

          expire add: soft 2940(sec), hard 3600(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          2160(bytes), 36(packets)

          add 2018-01-04 14:22:14 use 2018-01-04 14:22:19

        stats:

          replay-window 0 replay 0 failed 0







# ip -s xfrm state

src 172.31.10.126 dst x.x.x.143

        proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel

        replay-window 32 seq 0x00000000 flag 20 (0x00100000)

        auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)

        enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        lifetime config:

          limit: soft (INF)(bytes), hard (INF)(bytes)

          limit: soft (INF)(packets), hard (INF)(packets)

          expire add: soft 3055(sec), hard 3600(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:14 use -

        stats:

          replay-window 0 replay 0 failed 0

src x.x.x.143 dst 172.31.10.126

        proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel

        replay-window 32 seq 0x00000000 flag 20 (0x00100000)

        auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)

        enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)

        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

        lifetime config:

          limit: soft (INF)(bytes), hard (INF)(bytes)

          limit: soft (INF)(packets), hard (INF)(packets)

          expire add: soft 2940(sec), hard 3600(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          2520(bytes), 42(packets)

          add 2018-01-04 14:22:14 use 2018-01-04 14:22:19

        stats:

          replay-window 0 replay 0 failed 0





# ip -s xfrm policy

src 192.168.20.0/24 dst 172.31.12.176/32 uid 0

        dir fwd action allow index 1986 priority 2851 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft (INF)(bytes), hard (INF)(bytes)

          limit: soft (INF)(packets), hard (INF)(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:14 use 2018-01-04 14:24:09

        tmpl src x.x.x.143 dst 172.31.10.126

                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel

                level required share any

                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

src 192.168.20.0/24 dst 172.31.12.176/32 uid 0

        dir in action allow index 1976 priority 2851 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft (INF)(bytes), hard (INF)(bytes)

          limit: soft (INF)(packets), hard (INF)(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:14 use -

        tmpl src x.x.x.143 dst 172.31.10.126

                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel

                level required share any

                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

src 172.31.12.176/32 dst 192.168.20.0/24 uid 0

        dir out action allow index 1969 priority 2851 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft (INF)(bytes), hard (INF)(bytes)

          limit: soft (INF)(packets), hard (INF)(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:14 use -

        tmpl src 172.31.10.126 dst x.x.x.143

                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel

                level required share any

                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

        dir 3 action allow index 1963 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use 2018-01-04 14:24:09

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

        dir 4 action allow index 1956 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use 2018-01-04 14:23:58

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

        dir 3 action allow index 1947 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use 2018-01-04 14:22:14

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

        dir 4 action allow index 1940 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use 2018-01-04 14:22:14

src ::/0 dst ::/0 uid 0

        dir 3 action allow index 1931 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use -

src ::/0 dst ::/0 uid 0

        dir 4 action allow index 1924 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use -

src ::/0 dst ::/0 uid 0

        dir 3 action allow index 1915 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use -

src ::/0 dst ::/0 uid 0

        dir 4 action allow index 1908 priority 0 ptype main share any flag  (0x00000000)

        lifetime config:

          limit: soft 0(bytes), hard 0(bytes)

          limit: soft 0(packets), hard 0(packets)

          expire add: soft 0(sec), hard 0(sec)

          expire use: soft 0(sec), hard 0(sec)

        lifetime current:

          0(bytes), 0(packets)

          add 2018-01-04 14:22:11 use -





# iptables -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500

LOGDROP    all  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0

ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

LOGDROP    all  --  0.0.0.0/0            0.0.0.0/0



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  192.168.20.0/24      172.31.12.176       policy match dir in pol ipsec reqid 1 proto 50

ACCEPT     all  --  172.31.12.176        192.168.20.0/24     policy match dir out pol ipsec reqid 1 proto 50

LOGDROP    all  --  0.0.0.0/0            0.0.0.0/0

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0

ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500



Chain LOGDROP (3 references)

target     prot opt source               destination

LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180105/1c83c763/attachment-0001.html>


More information about the Users mailing list