[strongSwan] VPN routing help

Matt Frederick matt at mpirik.com
Tue Nov 26 16:46:09 CET 2019 

Hi, I'm looking for some help with a VPN I have set up. This VPN connects
two AWS VPCs, and is a learning opportunity for me, in preparation for a
larger project next year.

In this case, I have 4 computers, two being strongswan boxes, with two
client machines. the layout is such:

172.16.20.24 <=> 172.16.20.13 <=> 172.31.26.241 <=> 172.31.18.117

where 172.16.20.13 and 172.31.26.241 are strongswan boxes, with an IPSec
tunnel between them. 172.16.20.24 and 172.16.20.13 can ping each other, and
172.31.26.241 and 172.31.18.117 can ping each other.

172.16.20.24 attempts to ping 172.31.18.117 over the tunnel.

Currently, routing between the VPCs is limited to the strongswan boxes, to
ensure that the client traffic traverses the tunnel.

for this test, client machines are statically routing the target machine to
the VPN machines, and when I ping from 18.117 to 20.24, I see the packet
(twice in tcpdump) at 26.241, but it does not see traffic on the VPN, nor
on the receiving side.

thanks in advance, m

All seems well, and the tunnels come up (conn ec2test2):

Connections:
    ec2test2:  172.31.26.241...172.16.20.13  IKEv2
    ec2test2:   local:  [172.31.26.241] uses pre-shared key authentication
    ec2test2:   remote: [172.16.20.13] uses pre-shared key authentication
    ec2test2:   child:  172.31.18.117/32 === 172.16.20.24/32 TUNNEL
Security Associations (1 up, 0 connecting):
    ec2test2[8]: ESTABLISHED 23 seconds ago,
172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]
    ec2test2[8]: IKEv2 SPIs: e048424b128299d7_i* 5790cae7fadc96ff_r,
pre-shared key reauthentication in 7 hours
    ec2test2[8]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    ec2test2{73}:  INSTALLED, TUNNEL, reqid 12, ESP in UDP SPIs: c1ce842f_i
cc636877_o
    ec2test2{73}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 43 minutes
    ec2test2{73}:   172.31.18.117/32 === 172.16.20.24/32

ipsec.conf:
conn ec2test2
        right=172.16.20.13
        left=172.31.26.241
leftfirewall=yes
rightsubnet=172.16.20.24/32
leftsubnet=172.31.18.117/32
  rightfirewall=yes
        ike=aes256-sha1-modp1536!
        keyexchange=ikev2
        ikelifetime=28800s
        esp=aes256-sha1-modp1536!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        mark=%unique
        auto=start
        keyingtries=%forever
        forceencaps=yes
        mobike=no


firewall rules seem ok (they are added by strongswan):
[root at ip-172-31-26-241 ec2-user]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 172.16.20.24/32 -d 172.31.18.117/32 -i eth0 -m policy --dir
in --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A FORWARD -s 172.31.18.117/32 -d 172.16.20.24/32 -o eth0 -m policy --dir
out --pol ipsec --reqid 12 --proto esp -j ACCEPT

[root at ip-172-31-26-241 ec2-user]# ip xfrm pol
src 172.31.18.117/32 dst 172.16.20.24/32
dir out priority 367231 ptype main
mark 0xc/0xffffffff
tmpl src 172.31.26.241 dst 172.16.20.13
proto esp spi 0xcc636877 reqid 12 mode tunnel
src 172.16.20.24/32 dst 172.31.18.117/32
dir fwd priority 367231 ptype main
mark 0xc/0xffffffff
tmpl src 172.16.20.13 dst 172.31.26.241
proto esp reqid 12 mode tunnel
src 172.16.20.24/32 dst 172.31.18.117/32
dir in priority 367231 ptype main
mark 0xc/0xffffffff
tmpl src 172.16.20.13 dst 172.31.26.241
proto esp reqid 12 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main

[root at ip-172-31-26-241 ec2-user]# ip xfrm state
src 172.31.26.241 dst 172.16.20.13
proto esp spi 0xcc636877 reqid 12 mode tunnel
replay-window 0 flag af-unspec
mark 0xc/0xffffffff
auth-trunc hmac(sha1) 0xf323a6acb5a1517bba18285fa54a3d51e237a4de 96
enc cbc(aes)
0xccb4bea13f0bf1a8fa24dac0de7dd73751005dc85a271a3f484bae125475808e
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 172.16.20.13 dst 172.31.26.241
proto esp spi 0xc1ce842f reqid 12 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xa6e93c716c71a248b716bcdf5c9d0bbf2266d40f 96
enc cbc(aes)
0xffbeff56638b45c0d94bd33b1dfe9ded84aad68866bf1d44e9f01dc2eecf0660
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

-- 










*Confidentiality and Privacy Notice: *Information transmitted by 
this email is proprietary to [m]pirik and is intended for use only by the 
individual or entity to which it is addressed, and may contain information 
that is private, privileged, confidential or exempt from disclosure under 
applicable law. All personal messages express views solely of the sender, 
are not to be attributed to [m]pirik, and may not be copied or distributed 
without this disclaimer. If you are not the intended recipient or it 
appears that this mail has been forwarded to you without proper authority, 
you are notified that any use or dissemination of this information in any 
manner is strictly prohibited. In such cases, please delete this mail from 
your records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191126/48c4b502/attachment-0001.html>

More information about the Users mailing list