[strongSwan] IPSec Tunnel Up, No Traffic Passed to End Destination
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 12:55:27 CET 2018
Disable the source check in the VPC for the strongSwan server in the VPC.
Check if forwarding is enabled in sysctl globally for IPv4, too.
> sysctl net.ipv6.conf.all.forwarding=1
That is IPv6 only. You're tunneling IPv4 packets though.
BTW, your cipher suite sucks. use something better and use auto = route. Better yet, use a configuration from the UsableExamples page on the wiki.
GZ, you just leaked the keys of your SAs via the output of `ip xfrm state`.
The output of `iptables -L` is useless. Provide the output of `iptables-save` instead.
Generally, adhere to what the HelpRequests page says.
Kind regards
Noel
On 05.01.2018 19:09, Cruz Tovar wrote:
>
> Below is a network diagram of StrongSwan box configured in Amazon Web Services with tunnel to a Cisco ASA.
>
>
>
> The tunnel between the StrongSwan box and the Cisco device are working properly, phase 1 and phase 2 have completed.
>
>
>
> The issue is that the traffic destined to the StrongSwan box should then be passed to the 'Test Server' box (172.31.12.176)
>
>
>
> I am able to see the ICMP packets sent from the 192.168.20.0/24 network hit the StrongSwan box, but this traffic is not passed along to the Test Server.
>
>
>
> I have enabled forward client traffic and included forward rules for traffic sourced from the 192.168.20.0/24 subnet to be forwarded to 172.31.12.176.
>
>
>
> Does someone have any insight into what I may have configured incorrectly?
>
>
>
> |TEST SERVER (172.31.12.176)| ========== Eth1 172.31.12.187 -- |STRONGSWAN SERVER| -- Eth0 172.31.10.126 (EIP x.x.x.209) ========== Outside Interface x.x.x.143 -- |CISCO ASA| -- 192.168.20.0/24 Subnet to other hots
>
>
>
> StrongSwan Server has two Interfaces: Eth0 and Eth1.
>
> Eth0 has an EIP associated to it (x.x.x.209)
>
> Eth1 has an IP of 172.31.12.187 that I believe should pass traffic to the Test Server
>
>
>
> Test Server has an IP address of 172.31.12.176
>
>
>
> Cisco ASA has an outside interface of x.x.x.143 and communicates to the subnet 192.168.20.0/24.
>
>
>
>
>
> CONFIGS & OUTPUT IP/ROUTE DETAILS
>
> # ipsec.conf - strongSwan IPsec configuration file
>
>
>
> # basic configuration
>
>
>
> config setup
>
> # strictcrlpolicy=yes
>
> # uniqueids = no
>
> charondebug="ike 2, knl 2, cfg 2, dmn 2, esp 2, net 2, chd 2"
>
>
>
> conn RedSkyPIX-CHI
>
> type = tunnel
>
> authby = psk
>
> auto = start
>
> keyexchange = ikev1
>
> ike = aes128-sha1-modp1024
>
> esp = aes128-sha1
>
> ikelifetime = 28800s
>
> keylife = 3600s
>
> aggressive = no
>
> left = 172.31.10.126
>
> leftsubnet = 172.31.12.0/24
>
> leftid = x.x.x.209
>
> leftfirewall = yes
>
> right = x.x.x.143
>
> rightsubnet= 192.168.20.0/24
>
> rightid = x.x.x.143
>
> rightfirewall = yes
>
>
>
>
>
>
>
> # The following are enabled
>
> sysctl net.ipv4.ip_forward=1
>
> sysctl net.ipv6.conf.all.forwarding=1
>
>
>
>
>
> # ip route show
>
> 172.31.12.0/24 dev eth1 proto kernel scope link src 172.31.12.187
>
> 172.31.10.0/24 dev eth0 proto kernel scope link src 172.31.10.126
>
> 169.254.0.0/16 dev eth0 scope link metric 1002
>
> 169.254.0.0/16 dev eth1 scope link metric 1003
>
> default via 172.31.10.1 dev eth0
>
>
>
>
>
>
>
> # ip -s xfrm state
>
> src 172.31.10.126 dst x.x.x.143
>
> proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel
>
> replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
> auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)
>
> enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)
>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 3055(sec), hard 3600(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:14 use -
>
> stats:
>
> replay-window 0 replay 0 failed 0
>
> src x.x.x.143 dst 172.31.10.126
>
> proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel
>
> replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
> auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)
>
> enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)
>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 2940(sec), hard 3600(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 2160(bytes), 36(packets)
>
> add 2018-01-04 14:22:14 use 2018-01-04 14:22:19
>
> stats:
>
> replay-window 0 replay 0 failed 0
>
>
>
>
>
>
>
> # ip -s xfrm state
>
> src 172.31.10.126 dst x.x.x.143
>
> proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel
>
> replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
> auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits)
>
> enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits)
>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 3055(sec), hard 3600(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:14 use -
>
> stats:
>
> replay-window 0 replay 0 failed 0
>
> src x.x.x.143 dst 172.31.10.126
>
> proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel
>
> replay-window 32 seq 0x00000000 flag 20 (0x00100000)
>
> auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits)
>
> enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits)
>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 2940(sec), hard 3600(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 2520(bytes), 42(packets)
>
> add 2018-01-04 14:22:14 use 2018-01-04 14:22:19
>
> stats:
>
> replay-window 0 replay 0 failed 0
>
>
>
>
>
> # ip -s xfrm policy
>
> src 192.168.20.0/24 dst 172.31.12.176/32 uid 0
>
> dir fwd action allow index 1986 priority 2851 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:14 use 2018-01-04 14:24:09
>
> tmpl src x.x.x.143 dst 172.31.10.126
>
> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>
> level required share any
>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>
> src 192.168.20.0/24 dst 172.31.12.176/32 uid 0
>
> dir in action allow index 1976 priority 2851 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:14 use -
>
> tmpl src x.x.x.143 dst 172.31.10.126
>
> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>
> level required share any
>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>
> src 172.31.12.176/32 dst 192.168.20.0/24 uid 0
>
> dir out action allow index 1969 priority 2851 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:14 use -
>
> tmpl src 172.31.10.126 dst x.x.x.143
>
> proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>
> level required share any
>
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
> dir 3 action allow index 1963 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use 2018-01-04 14:24:09
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
> dir 4 action allow index 1956 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use 2018-01-04 14:23:58
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
> dir 3 action allow index 1947 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use 2018-01-04 14:22:14
>
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>
> dir 4 action allow index 1940 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use 2018-01-04 14:22:14
>
> src ::/0 dst ::/0 uid 0
>
> dir 3 action allow index 1931 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use -
>
> src ::/0 dst ::/0 uid 0
>
> dir 4 action allow index 1924 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use -
>
> src ::/0 dst ::/0 uid 0
>
> dir 3 action allow index 1915 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use -
>
> src ::/0 dst ::/0 uid 0
>
> dir 4 action allow index 1908 priority 0 ptype main share any flag (0x00000000)
>
> lifetime config:
>
> limit: soft 0(bytes), hard 0(bytes)
>
> limit: soft 0(packets), hard 0(packets)
>
> expire add: soft 0(sec), hard 0(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 0(bytes), 0(packets)
>
> add 2018-01-04 14:22:11 use –
>
>
>
>
>
> # iptables -L -n
>
> Chain INPUT (policy ACCEPT)
>
> target prot opt source destination
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
>
> LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
>
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
> LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
>
>
>
> Chain FORWARD (policy ACCEPT)
>
> target prot opt source destination
>
> ACCEPT all -- 192.168.20.0/24 172.31.12.176 policy match dir in pol ipsec reqid 1 proto 50
>
> ACCEPT all -- 172.31.12.176 192.168.20.0/24 policy match dir out pol ipsec reqid 1 proto 50
>
> LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
>
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
>
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target prot opt source destination
>
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
>
>
>
> Chain LOGDROP (3 references)
>
> target prot opt source destination
>
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/5f53023a/attachment-0001.sig>
More information about the Users
mailing list