[strongSwan] VPN routing help

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 27 08:43:52 CET 2019


Hello Matt,

>     ec2test2{73}:   172.31.18.117/32 === 172.16.20.24/32
Your TS only allows traffic between the IPs on the two hosts. To allow traffic between other subnets, they need to be included in the TS.

Also, please use the exact commands as shown on the HelpRequests[1] page to get useful debugging data.
iptables -L or -S isn't useful.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 26.11.19 um 16:46 schrieb Matt Frederick:
> 
> Hi, I'm looking for some help with a VPN I have set up. This VPN connects two AWS VPCs, and is a learning opportunity for me, in preparation for a larger project next year.
> 
> In this case, I have 4 computers, two being strongswan boxes, with two client machines. the layout is such:
> 
> 172.16.20.24 <=> 172.16.20.13 <=> 172.31.26.241 <=> 172.31.18.117
> 
> where 172.16.20.13 and 172.31.26.241 are strongswan boxes, with an IPSec tunnel between them. 172.16.20.24 and 172.16.20.13 can ping each other, and 172.31.26.241 and 172.31.18.117 can ping each other.
> 
> 172.16.20.24 attempts to ping 172.31.18.117 over the tunnel.
> 
> Currently, routing between the VPCs is limited to the strongswan boxes, to ensure that the client traffic traverses the tunnel.
> 
> for this test, client machines are statically routing the target machine to the VPN machines, and when I ping from 18.117 to 20.24, I see the packet (twice in tcpdump) at 26.241, but it does not see traffic on the VPN, nor on the receiving side.
> 
> thanks in advance, m
> 
> All seems well, and the tunnels come up (conn ec2test2):
> 
> Connections:
>     ec2test2:  172.31.26.241...172.16.20.13  IKEv2
>     ec2test2:   local:  [172.31.26.241] uses pre-shared key authentication
>     ec2test2:   remote: [172.16.20.13] uses pre-shared key authentication
>     ec2test2:   child:  172.31.18.117/32 <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> TUNNEL
> Security Associations (1 up, 0 connecting):
>     ec2test2[8]: ESTABLISHED 23 seconds ago, 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]
>     ec2test2[8]: IKEv2 SPIs: e048424b128299d7_i* 5790cae7fadc96ff_r, pre-shared key reauthentication in 7 hours
>     ec2test2[8]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>     ec2test2{73}:  INSTALLED, TUNNEL, reqid 12, ESP in UDP SPIs: c1ce842f_i cc636877_o
>     ec2test2{73}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes
>     ec2test2{73}:   172.31.18.117/32 <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32>
> 
> ipsec.conf:
> conn ec2test2
>         right=172.16.20.13
>         left=172.31.26.241
> leftfirewall=yes
> rightsubnet=172.16.20.24/32 <http://172.16.20.24/32>
> leftsubnet=172.31.18.117/32 <http://172.31.18.117/32>
>   rightfirewall=yes
>         ike=aes256-sha1-modp1536!
>         keyexchange=ikev2
>         ikelifetime=28800s
>         esp=aes256-sha1-modp1536!
>         keylife=3600s
>         rekeymargin=540s
>         type=tunnel
>         compress=no
>         authby=secret
>         mark=%unique
>         auto=start
>         keyingtries=%forever
>         forceencaps=yes
>         mobike=no
> 
> 
> firewall rules seem ok (they are added by strongswan):
> [root at ip-172-31-26-241 ec2-user]# iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A FORWARD -s 172.16.20.24/32 <http://172.16.20.24/32> -d 172.31.18.117/32 <http://172.31.18.117/32> -i eth0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT
> -A FORWARD -s 172.31.18.117/32 <http://172.31.18.117/32> -d 172.16.20.24/32 <http://172.16.20.24/32> -o eth0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT
> 
> [root at ip-172-31-26-241 ec2-user]# ip xfrm pol
> src 172.31.18.117/32 <http://172.31.18.117/32> dst 172.16.20.24/32 <http://172.16.20.24/32>
> dir out priority 367231 ptype main
> mark 0xc/0xffffffff
> tmpl src 172.31.26.241 dst 172.16.20.13
> proto esp spi 0xcc636877 reqid 12 mode tunnel
> src 172.16.20.24/32 <http://172.16.20.24/32> dst 172.31.18.117/32 <http://172.31.18.117/32>
> dir fwd priority 367231 ptype main
> mark 0xc/0xffffffff
> tmpl src 172.16.20.13 dst 172.31.26.241
> proto esp reqid 12 mode tunnel
> src 172.16.20.24/32 <http://172.16.20.24/32> dst 172.31.18.117/32 <http://172.31.18.117/32>
> dir in priority 367231 ptype main
> mark 0xc/0xffffffff
> tmpl src 172.16.20.13 dst 172.31.26.241
> proto esp reqid 12 mode tunnel
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket in priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket out priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket in priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
> 
> [root at ip-172-31-26-241 ec2-user]# ip xfrm state
> src 172.31.26.241 dst 172.16.20.13
> proto esp spi 0xcc636877 reqid 12 mode tunnel
> replay-window 0 flag af-unspec
> mark 0xc/0xffffffff
> auth-trunc hmac(sha1) 0xf323a6acb5a1517bba18285fa54a3d51e237a4de 96
> enc cbc(aes) 0xccb4bea13f0bf1a8fa24dac0de7dd73751005dc85a271a3f484bae125475808e
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src 172.16.20.13 dst 172.31.26.241
> proto esp spi 0xc1ce842f reqid 12 mode tunnel
> replay-window 32 flag af-unspec
> auth-trunc hmac(sha1) 0xa6e93c716c71a248b716bcdf5c9d0bbf2266d40f 96
> enc cbc(aes) 0xffbeff56638b45c0d94bd33b1dfe9ded84aad68866bf1d44e9f01dc2eecf0660
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> 
> 
> 
> *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191127/e3c7cf23/attachment.sig>


More information about the Users mailing list