[strongSwan] IPSec Tunnel Up, No Traffic Passed to End Destination
Cruz Tovar
ctovar at redskytech.com
Fri Jan 5 19:09:37 CET 2018
Below is a network diagram of StrongSwan box configured in Amazon Web Services with tunnel to a Cisco ASA.
The tunnel between the StrongSwan box and the Cisco device are working properly, phase 1 and phase 2 have completed.
The issue is that the traffic destined to the StrongSwan box should then be passed to the 'Test Server' box (172.31.12.176)
I am able to see the ICMP packets sent from the 192.168.20.0/24 network hit the StrongSwan box, but this traffic is not passed along to the Test Server.
I have enabled forward client traffic and included forward rules for traffic sourced from the 192.168.20.0/24 subnet to be forwarded to 172.31.12.176.
Does someone have any insight into what I may have configured incorrectly?
|TEST SERVER (172.31.12.176)| ========== Eth1 172.31.12.187 -- |STRONGSWAN SERVER| -- Eth0 172.31.10.126 (EIP x.x.x.209) ========== Outside Interface x.x.x.143 -- |CISCO ASA| -- 192.168.20.0/24 Subnet to other hots
StrongSwan Server has two Interfaces: Eth0 and Eth1.
Eth0 has an EIP associated to it (x.x.x.209)
Eth1 has an IP of 172.31.12.187 that I believe should pass traffic to the Test Server
Test Server has an IP address of 172.31.12.176
Cisco ASA has an outside interface of x.x.x.143 and communicates to the subnet 192.168.20.0/24.
CONFIGS & OUTPUT IP/ROUTE DETAILS
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="ike 2, knl 2, cfg 2, dmn 2, esp 2, net 2, chd 2"
conn RedSkyPIX-CHI
type = tunnel
authby = psk
auto = start
keyexchange = ikev1
ike = aes128-sha1-modp1024
esp = aes128-sha1
ikelifetime = 28800s
keylife = 3600s
aggressive = no
left = 172.31.10.126
leftsubnet = 172.31.12.0/24
leftid = x.x.x.209
leftfirewall = yes
right = x.x.x.143
rightsubnet= 192.168.20.0/24
rightid = x.x.x.143
rightfirewall = yes
# The following are enabled
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
# ip route show
172.31.12.0/24 dev eth1 proto kernel scope link src 172.31.12.187
172.31.10.0/24 dev eth0 proto kernel scope link src 172.31.10.126
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
default via 172.31.10.1 dev eth0
# ip -s xfrm state
src 172.31.10.126 dst x.x.x.143
proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag 20 (0x00100000)
auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)
enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3055(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:14 use -
stats:
replay-window 0 replay 0 failed 0
src x.x.x.143 dst 172.31.10.126
proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag 20 (0x00100000)
auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)
enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2940(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
2160(bytes), 36(packets)
add 2018-01-04 14:22:14 use 2018-01-04 14:22:19
stats:
replay-window 0 replay 0 failed 0
# ip -s xfrm state
src 172.31.10.126 dst x.x.x.143
proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag 20 (0x00100000)
auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)
enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3055(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:14 use -
stats:
replay-window 0 replay 0 failed 0
src x.x.x.143 dst 172.31.10.126
proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag 20 (0x00100000)
auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)
enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2940(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
2520(bytes), 42(packets)
add 2018-01-04 14:22:14 use 2018-01-04 14:22:19
stats:
replay-window 0 replay 0 failed 0
# ip -s xfrm policy
src 192.168.20.0/24 dst 172.31.12.176/32 uid 0
dir fwd action allow index 1986 priority 2851 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:14 use 2018-01-04 14:24:09
tmpl src x.x.x.143 dst 172.31.10.126
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.20.0/24 dst 172.31.12.176/32 uid 0
dir in action allow index 1976 priority 2851 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:14 use -
tmpl src x.x.x.143 dst 172.31.10.126
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.31.12.176/32 dst 192.168.20.0/24 uid 0
dir out action allow index 1969 priority 2851 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:14 use -
tmpl src 172.31.10.126 dst x.x.x.143
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 1963 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use 2018-01-04 14:24:09
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 1956 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use 2018-01-04 14:23:58
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 1947 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use 2018-01-04 14:22:14
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 1940 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use 2018-01-04 14:22:14
src ::/0 dst ::/0 uid 0
dir 3 action allow index 1931 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use -
src ::/0 dst ::/0 uid 0
dir 4 action allow index 1924 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use -
src ::/0 dst ::/0 uid 0
dir 3 action allow index 1915 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use -
src ::/0 dst ::/0 uid 0
dir 4 action allow index 1908 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2018-01-04 14:22:11 use -
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.20.0/24 172.31.12.176 policy match dir in pol ipsec reqid 1 proto 50
ACCEPT all -- 172.31.12.176 192.168.20.0/24 policy match dir out pol ipsec reqid 1 proto 50
LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
Chain LOGDROP (3 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180105/1c83c763/attachment-0001.html>
More information about the Users
mailing list