[strongSwan] IPSec Tunnel Up, No Traffic Passed to End Destination

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 12:55:27 CET 2018


Disable the source check in the VPC for the strongSwan server in the VPC.
Check if forwarding is enabled in sysctl globally for IPv4, too.
> sysctl net.ipv6.conf.all.forwarding=1
That is IPv6 only. You're tunneling IPv4 packets though.

BTW, your cipher suite sucks. use something better and use auto = route. Better yet, use a configuration from the UsableExamples page on the wiki.

GZ, you just leaked the keys of your SAs via the output of `ip xfrm state`.


The output of `iptables -L` is useless. Provide the output of `iptables-save` instead.
Generally, adhere to what the HelpRequests page says.

Kind regards

Noel

On 05.01.2018 19:09, Cruz Tovar wrote:
>
> Below is a network diagram of StrongSwan box configured in Amazon Web Services with tunnel to a Cisco ASA. 
>
>  
>
> The tunnel between the StrongSwan box and the Cisco device are working properly, phase 1 and phase 2 have completed.
>
>  
>
> The issue is that the traffic destined to the StrongSwan box should then be passed to the 'Test Server' box (172.31.12.176) 
>
>  
>
> I am able to see the ICMP packets sent from the 192.168.20.0/24 network hit the StrongSwan box, but this traffic is not passed along to the Test Server. 
>
>  
>
> I have enabled forward client traffic and included forward rules for traffic sourced from the 192.168.20.0/24 subnet to be forwarded to 172.31.12.176.
>
>  
>
> Does someone have any insight into what I may have configured incorrectly?
>
>  
>
> |TEST SERVER (172.31.12.176)| ========== Eth1 172.31.12.187 -- |STRONGSWAN SERVER| -- Eth0 172.31.10.126 (EIP x.x.x.209) ========== Outside Interface x.x.x.143 -- |CISCO ASA| -- 192.168.20.0/24 Subnet to other hots
>
>  
>
> StrongSwan Server has two Interfaces: Eth0 and Eth1.
>
>      Eth0 has an EIP associated to it (x.x.x.209)
>
>      Eth1 has an IP of 172.31.12.187 that I believe should pass traffic to the Test Server
>
>  
>
> Test Server has an IP address of 172.31.12.176
>
>  
>
> Cisco ASA has an outside interface of x.x.x.143 and communicates to the subnet 192.168.20.0/24.
>
>  
>
>  
>
> CONFIGS & OUTPUT IP/ROUTE DETAILS
>
> # ipsec.conf - strongSwan IPsec configuration file
>
>  
>
> # basic configuration
>
>  
>
> config setup
>
>         # strictcrlpolicy=yes
>
>         # uniqueids = no
>
>         charondebug="ike 2, knl 2, cfg 2, dmn 2, esp 2, net 2, chd 2"
>
>  
>
> conn RedSkyPIX-CHI
>
>         type = tunnel
>
>         authby = psk
>
>         auto = start
>
>         keyexchange = ikev1
>
>         ike = aes128-sha1-modp1024
>
>         esp = aes128-sha1
>
>         ikelifetime = 28800s
>
>         keylife = 3600s
>
>         aggressive = no
>
>         left = 172.31.10.126
>
>         leftsubnet = 172.31.12.0/24
>
>         leftid = x.x.x.209
>
>         leftfirewall = yes
>
>         right = x.x.x.143
>
>         rightsubnet= 192.168.20.0/24
>
>         rightid = x.x.x.143
>
>         rightfirewall = yes
>
>  
>
>  
>
>  
>
> # The following are enabled
>
> sysctl net.ipv4.ip_forward=1
>
> sysctl net.ipv6.conf.all.forwarding=1
>
>  
>
>  
>
> # ip route show
>
> 172.31.12.0/24 dev eth1  proto kernel  scope link  src 172.31.12.187
>
> 172.31.10.0/24 dev eth0  proto kernel  scope link  src 172.31.10.126
>
> 169.254.0.0/16 dev eth0  scope link  metric 1002
>
> 169.254.0.0/16 dev eth1  scope link  metric 1003
>
> default via 172.31.10.1 dev eth0
>
>  
>
>  
>
>  
>
> # ip -s xfrm state
>
> src 172.31.10.126 dst x.x.x.143
>
>         proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel
>
>         replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
>         auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)
>
>         enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)
>
>         encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
>         lifetime config:
>
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>
>           limit: soft (INF)(packets), hard (INF)(packets)
>
>           expire add: soft 3055(sec), hard 3600(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:14 use -
>
>         stats:
>
>           replay-window 0 replay 0 failed 0
>
> src x.x.x.143 dst 172.31.10.126
>
>         proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel
>
>         replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
>         auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)
>
>         enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)
>
>         encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
>         lifetime config:
>
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>
>           limit: soft (INF)(packets), hard (INF)(packets)
>
>           expire add: soft 2940(sec), hard 3600(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           2160(bytes), 36(packets)
>
>           add 2018-01-04 14:22:14 use 2018-01-04 14:22:19
>
>         stats:
>
>           replay-window 0 replay 0 failed 0
>
>  
>
>  
>
>  
>
> # ip -s xfrm state
>
> src 172.31.10.126 dst x.x.x.143
>
>         proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel
>
>         replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
>         auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)
>
>         enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)
>
>         encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
>         lifetime config:
>
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>
>           limit: soft (INF)(packets), hard (INF)(packets)
>
>           expire add: soft 3055(sec), hard 3600(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:14 use -
>
>         stats:
>
>           replay-window 0 replay 0 failed 0
>
> src x.x.x.143 dst 172.31.10.126
>
>         proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel
>
>         replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
>         auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)
>
>         enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)
>
>         encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
>         lifetime config:
>
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>
>           limit: soft (INF)(packets), hard (INF)(packets)
>
>           expire add: soft 2940(sec), hard 3600(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           2520(bytes), 42(packets)
>
>           add 2018-01-04 14:22:14 use 2018-01-04 14:22:19
>
>         stats:
>
>           replay-window 0 replay 0 failed 0
>
>  
>
>  
>
> # ip -s xfrm policy
>
> src 192.168.20.0/24 dst 172.31.12.176/32 uid 0
>
>         dir fwd action allow index 1986 priority 2851 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>
>           limit: soft (INF)(packets), hard (INF)(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:14 use 2018-01-04 14:24:09
>
>         tmpl src x.x.x.143 dst 172.31.10.126
>
>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>
>                 level required share any
>
>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>
> src 192.168.20.0/24 dst 172.31.12.176/32 uid 0
>
>         dir in action allow index 1976 priority 2851 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>
>           limit: soft (INF)(packets), hard (INF)(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:14 use -
>
>         tmpl src x.x.x.143 dst 172.31.10.126
>
>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>
>                 level required share any
>
>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>
> src 172.31.12.176/32 dst 192.168.20.0/24 uid 0
>
>         dir out action allow index 1969 priority 2851 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>
>           limit: soft (INF)(packets), hard (INF)(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:14 use -
>
>         tmpl src 172.31.10.126 dst x.x.x.143
>
>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>
>                 level required share any
>
>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
>         dir 3 action allow index 1963 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use 2018-01-04 14:24:09
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
>         dir 4 action allow index 1956 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use 2018-01-04 14:23:58
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
>         dir 3 action allow index 1947 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use 2018-01-04 14:22:14
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
>         dir 4 action allow index 1940 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use 2018-01-04 14:22:14
>
> src ::/0 dst ::/0 uid 0
>
>         dir 3 action allow index 1931 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use -
>
> src ::/0 dst ::/0 uid 0
>
>         dir 4 action allow index 1924 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use -
>
> src ::/0 dst ::/0 uid 0
>
>         dir 3 action allow index 1915 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use -
>
> src ::/0 dst ::/0 uid 0
>
>         dir 4 action allow index 1908 priority 0 ptype main share any flag  (0x00000000)
>
>         lifetime config:
>
>           limit: soft 0(bytes), hard 0(bytes)
>
>           limit: soft 0(packets), hard 0(packets)
>
>           expire add: soft 0(sec), hard 0(sec)
>
>           expire use: soft 0(sec), hard 0(sec)
>
>         lifetime current:
>
>           0(bytes), 0(packets)
>
>           add 2018-01-04 14:22:11 use –
>
>  
>
>  
>
> # iptables -L -n
>
> Chain INPUT (policy ACCEPT)
>
> target     prot opt source               destination
>
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
>
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
>
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
>
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500
>
> LOGDROP    all  --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
>
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
>
> LOGDROP    all  --  0.0.0.0/0            0.0.0.0/0
>
>  
>
> Chain FORWARD (policy ACCEPT)
>
> target     prot opt source               destination
>
> ACCEPT     all  --  192.168.20.0/24      172.31.12.176       policy match dir in pol ipsec reqid 1 proto 50
>
> ACCEPT     all  --  172.31.12.176        192.168.20.0/24     policy match dir out pol ipsec reqid 1 proto 50
>
> LOGDROP    all  --  0.0.0.0/0            0.0.0.0/0
>
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
>
>  
>
> Chain OUTPUT (policy ACCEPT)
>
> target     prot opt source               destination
>
> ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
>
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
>
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:4500 dpt:4500
>
>  
>
> Chain LOGDROP (3 references)
>
> target     prot opt source               destination
>
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
>
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/5f53023a/attachment-0001.sig>


More information about the Users mailing list