[strongSwan] VPN routing help

Matt Frederick matt at mpirik.com
Wed Nov 27 12:32:47 CET 2019


Hello, thanks for your reply. My apologies, please see firewall config
below. Regarding the TS, it does define the two hosts I would like to
connect over VPN. Currently I'm not trying to add networks; simply ping
172.16.20.24 from 172.31.18.117. I appreciate your help, matt

# Generated by iptables-save v1.4.21 on Wed Nov 27 11:22:57 2019

*filter

:INPUT ACCEPT [2199:206359]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2080:231588]

-A FORWARD -s 172.16.20.24/32 -d 172.31.18.117/32 -i eth0 -m policy --dir
in --pol ipsec --reqid 14 --proto esp -j ACCEPT

-A FORWARD -s 172.31.18.117/32 -d 172.16.20.24/32 -o eth0 -m policy --dir
out --pol ipsec --reqid 14 --proto esp -j ACCEPT

COMMIT


[root at ip-172-31-26-241 ec2-user]# ip xfrm pol

src 172.31.18.117/32 dst 172.16.20.24/32

dir out priority 367231 ptype main

mark 0xe/0xffffffff

tmpl src 172.31.26.241 dst 172.16.20.13

proto esp spi 0xc41b426a reqid 14 mode tunnel

src 172.16.20.24/32 dst 172.31.18.117/32

dir fwd priority 367231 ptype main

mark 0xe/0xffffffff

tmpl src 172.16.20.13 dst 172.31.26.241

proto esp reqid 14 mode tunnel

src 172.16.20.24/32 dst 172.31.18.117/32

dir in priority 367231 ptype main

mark 0xe/0xffffffff

tmpl src 172.16.20.13 dst 172.31.26.241

proto esp reqid 14 mode tunnel


Security Associations (1 up, 0 connecting):

    ec2test2[10]: ESTABLISHED 5 hours ago,
172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]

    ec2test2[10]: IKEv2 SPIs: 17e28b4e6d4717f3_i* d5c2d25c083280be_r,
pre-shared key reauthentication in 2 hours

    ec2test2[10]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

    ec2test2{101}:  INSTALLED, TUNNEL, reqid 14, ESP in UDP SPIs:
ccf32809_i c41b426a_o

    ec2test2{101}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0
bytes_o, rekeying in 4 minutes

    ec2test2{101}:   172.31.18.117/32 === 172.16.20.24/32



On Wed, Nov 27, 2019 at 1:43 AM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hello Matt,
>
> >     ec2test2{73}:   172.31.18.117/32 === 172.16.20.24/32
> Your TS only allows traffic between the IPs on the two hosts. To allow
> traffic between other subnets, they need to be included in the TS.
>
> Also, please use the exact commands as shown on the HelpRequests[1] page
> to get useful debugging data.
> iptables -L or -S isn't useful.
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> Am 26.11.19 um 16:46 schrieb Matt Frederick:
> >
> > Hi, I'm looking for some help with a VPN I have set up. This VPN
> connects two AWS VPCs, and is a learning opportunity for me, in preparation
> for a larger project next year.
> >
> > In this case, I have 4 computers, two being strongswan boxes, with two
> client machines. the layout is such:
> >
> > 172.16.20.24 <=> 172.16.20.13 <=> 172.31.26.241 <=> 172.31.18.117
> >
> > where 172.16.20.13 and 172.31.26.241 are strongswan boxes, with an IPSec
> tunnel between them. 172.16.20.24 and 172.16.20.13 can ping each other, and
> 172.31.26.241 and 172.31.18.117 can ping each other.
> >
> > 172.16.20.24 attempts to ping 172.31.18.117 over the tunnel.
> >
> > Currently, routing between the VPCs is limited to the strongswan boxes,
> to ensure that the client traffic traverses the tunnel.
> >
> > for this test, client machines are statically routing the target machine
> to the VPN machines, and when I ping from 18.117 to 20.24, I see the packet
> (twice in tcpdump) at 26.241, but it does not see traffic on the VPN, nor
> on the receiving side.
> >
> > thanks in advance, m
> >
> > All seems well, and the tunnels come up (conn ec2test2):
> >
> > Connections:
> >     ec2test2:  172.31.26.241...172.16.20.13  IKEv2
> >     ec2test2:   local:  [172.31.26.241] uses pre-shared key
> authentication
> >     ec2test2:   remote: [172.16.20.13] uses pre-shared key authentication
> >     ec2test2:   child:  172.31.18.117/32 <http://172.31.18.117/32> ===
> 172.16.20.24/32 <http://172.16.20.24/32> TUNNEL
> > Security Associations (1 up, 0 connecting):
> >     ec2test2[8]: ESTABLISHED 23 seconds ago,
> 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]
> >     ec2test2[8]: IKEv2 SPIs: e048424b128299d7_i* 5790cae7fadc96ff_r,
> pre-shared key reauthentication in 7 hours
> >     ec2test2[8]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> >     ec2test2{73}:  INSTALLED, TUNNEL, reqid 12, ESP in UDP SPIs:
> c1ce842f_i cc636877_o
> >     ec2test2{73}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 43 minutes
> >     ec2test2{73}:   172.31.18.117/32 <http://172.31.18.117/32> ===
> 172.16.20.24/32 <http://172.16.20.24/32>
> >
> > ipsec.conf:
> > conn ec2test2
> >         right=172.16.20.13
> >         left=172.31.26.241
> > leftfirewall=yes
> > rightsubnet=172.16.20.24/32 <http://172.16.20.24/32>
> > leftsubnet=172.31.18.117/32 <http://172.31.18.117/32>
> >   rightfirewall=yes
> >         ike=aes256-sha1-modp1536!
> >         keyexchange=ikev2
> >         ikelifetime=28800s
> >         esp=aes256-sha1-modp1536!
> >         keylife=3600s
> >         rekeymargin=540s
> >         type=tunnel
> >         compress=no
> >         authby=secret
> >         mark=%unique
> >         auto=start
> >         keyingtries=%forever
> >         forceencaps=yes
> >         mobike=no
> >
> >
> > firewall rules seem ok (they are added by strongswan):
> > [root at ip-172-31-26-241 ec2-user]# iptables -S
> > -P INPUT ACCEPT
> > -P FORWARD ACCEPT
> > -P OUTPUT ACCEPT
> > -A FORWARD -s 172.16.20.24/32 <http://172.16.20.24/32> -d
> 172.31.18.117/32 <http://172.31.18.117/32> -i eth0 -m policy --dir in
> --pol ipsec --reqid 12 --proto esp -j ACCEPT
> > -A FORWARD -s 172.31.18.117/32 <http://172.31.18.117/32> -d
> 172.16.20.24/32 <http://172.16.20.24/32> -o eth0 -m policy --dir out
> --pol ipsec --reqid 12 --proto esp -j ACCEPT
> >
> > [root at ip-172-31-26-241 ec2-user]# ip xfrm pol
> > src 172.31.18.117/32 <http://172.31.18.117/32> dst 172.16.20.24/32 <
> http://172.16.20.24/32>
> > dir out priority 367231 ptype main
> > mark 0xc/0xffffffff
> > tmpl src 172.31.26.241 dst 172.16.20.13
> > proto esp spi 0xcc636877 reqid 12 mode tunnel
> > src 172.16.20.24/32 <http://172.16.20.24/32> dst 172.31.18.117/32 <
> http://172.31.18.117/32>
> > dir fwd priority 367231 ptype main
> > mark 0xc/0xffffffff
> > tmpl src 172.16.20.13 dst 172.31.26.241
> > proto esp reqid 12 mode tunnel
> > src 172.16.20.24/32 <http://172.16.20.24/32> dst 172.31.18.117/32 <
> http://172.31.18.117/32>
> > dir in priority 367231 ptype main
> > mark 0xc/0xffffffff
> > tmpl src 172.16.20.13 dst 172.31.26.241
> > proto esp reqid 12 mode tunnel
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket out priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket out priority 0 ptype main
> > src ::/0 dst ::/0
> > socket in priority 0 ptype main
> > src ::/0 dst ::/0
> > socket out priority 0 ptype main
> > src ::/0 dst ::/0
> > socket in priority 0 ptype main
> > src ::/0 dst ::/0
> > socket out priority 0 ptype main
> >
> > [root at ip-172-31-26-241 ec2-user]# ip xfrm state
> > src 172.31.26.241 dst 172.16.20.13
> > proto esp spi 0xcc636877 reqid 12 mode tunnel
> > replay-window 0 flag af-unspec
> > mark 0xc/0xffffffff
> > auth-trunc hmac(sha1) 0xf323a6acb5a1517bba18285fa54a3d51e237a4de 96
> > enc cbc(aes)
> 0xccb4bea13f0bf1a8fa24dac0de7dd73751005dc85a271a3f484bae125475808e
> > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> > src 172.16.20.13 dst 172.31.26.241
> > proto esp spi 0xc1ce842f reqid 12 mode tunnel
> > replay-window 32 flag af-unspec
> > auth-trunc hmac(sha1) 0xa6e93c716c71a248b716bcdf5c9d0bbf2266d40f 96
> > enc cbc(aes)
> 0xffbeff56638b45c0d94bd33b1dfe9ded84aad68866bf1d44e9f01dc2eecf0660
> > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> >
> >
> >
> > *Confidentiality and Privacy Notice: *Information transmitted by this
> email is proprietary to [m]pirik and is intended for use only by the
> individual or entity to which it is addressed, and may contain information
> that is private, privileged, confidential or exempt from disclosure under
> applicable law. All personal messages express views solely of the sender,
> are not to be attributed to [m]pirik, and may not be copied or distributed
> without this disclaimer. If you are not the intended recipient or it
> appears that this mail has been forwarded to you without proper authority,
> you are notified that any use or dissemination of this information in any
> manner is strictly prohibited. In such cases, please delete this mail from
> your records.
> >
>
>

-- 

Matthew Frederick

matt at mpirik.com <jim at mpirik.com>

W +414.220.4384

[image:
https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA]
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mpirik.com&d=DwMFaQ&c=4mrNADMi6Tvf-kGUfW12lHtG2IOrmU6d6xRlApqgiGQ&r=IEBIr_2fBfdV1mXHBWue9rgiGBHw42iWfqNJ_h2ORgo&m=_-6x0Jigz5qgu8IWG_nP4oBRg7jqZDHFlT-4YTDZbS0&s=8VljVoezXqInFJE2LwcJvMmw8Q_VjSyD0D56ydR_bVM&e=>

-- 










*Confidentiality and Privacy Notice: *Information transmitted by 
this email is proprietary to [m]pirik and is intended for use only by the 
individual or entity to which it is addressed, and may contain information 
that is private, privileged, confidential or exempt from disclosure under 
applicable law. All personal messages express views solely of the sender, 
are not to be attributed to [m]pirik, and may not be copied or distributed 
without this disclaimer. If you are not the intended recipient or it 
appears that this mail has been forwarded to you without proper authority, 
you are notified that any use or dissemination of this information in any 
manner is strictly prohibited. In such cases, please delete this mail from 
your records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191127/991bb4af/attachment-0001.html>


More information about the Users mailing list