[strongSwan] VPN routing help

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 27 13:26:09 CET 2019


Remove         mark=%unique from your config.

Am 27.11.19 um 13:15 schrieb Matt Frederick:
> After pinging, there appears no change in iptables. That made me want to confirm that packets are arriving, which tcpdump did. -m
> 
> [root at ip-172-31-26-241 ec2-user]# iptables-save -c
> 
> # Generated by iptables-save v1.4.21 on Wed Nov 27 12:13:18 2019
> 
> *filter
> 
> :INPUT ACCEPT [550:43431]
> 
> :FORWARD ACCEPT [6:504]
> 
> :OUTPUT ACCEPT [398:49293]
> 
> [0:0] -A FORWARD -s 172.16.20.24/32 <http://172.16.20.24/32> -d 172.31.18.117/32 <http://172.31.18.117/32> -i eth0 -m policy --dir in --pol ipsec --reqid 15 --proto esp -j ACCEPT
> 
> [0:0] -A FORWARD -s 172.31.18.117/32 <http://172.31.18.117/32> -d 172.16.20.24/32 <http://172.16.20.24/32> -o eth0 -m policy --dir out --pol ipsec --reqid 15 --proto esp -j ACCEPT
> 
> COMMIT
> 
> # Completed on Wed Nov 27 12:13:18 2019
> 
> [root at ip-172-31-26-241 ec2-user]# tcpdump icmp
> 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> 
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 
> 12:13:40.530495 IP ip-172-31-18-117.us-east-2.compute.internal > ip-172-16-20-24.us-east-2.compute.internal: ICMP echo request, id 24471, seq 26, length 64
> 
> 12:13:40.530539 IP ip-172-31-18-117.us-east-2.compute.internal > ip-172-16-20-24.us-east-2.compute.internal: ICMP echo request, id 24471, seq 26, length 64
> 
> 
> On Wed, Nov 27, 2019 at 6:11 AM Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> 
>     Okay. After pinging, what's the output of `iptables-save -c`?
> 
>     Am 27.11.19 um 13:03 schrieb Matt Frederick:
>     > Hi - yes, I've reviewed that, and have disabled source checking on the VPN machines (and on all machines now, as a troubleshooting effort). thanks, matt
>     >
>     > On Wed, Nov 27, 2019 at 5:58 AM Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>     >
>     >     Hello Matt,
>     >
>     >     Make sure you read and apply the information about cloud platforms[1] on the wiki.
>     >     If you don't apply the necessary settings, your use case will not work.
>     >
>     >     Kind regards
>     >
>     >     Noel
>     >
>     >     [1] https://wiki.strongswan.org/projects/strongswan/wiki/CloudPlatforms
>     >
>     >     Am 27.11.19 um 12:55 schrieb Matt Frederick:
>     >     > Hi Noel - Sorry again, you should find requested output below, including sysctl, which are both '1'. I don't see routes in 220, but I'm not sure that route are absolutely required there, when using policy based routing. thanks again, matt 
>     >     >
>     >     > [root at ip-172-31-26-241 ec2-user]# ip address
>     >     >
>     >     > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>     >     >
>     >     >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     >     >
>     >     >     inet 127.0.0.1/8 <http://127.0.0.1/8> <http://127.0.0.1/8> <http://127.0.0.1/8> scope host lo
>     >     >
>     >     >        valid_lft forever preferred_lft forever
>     >     >
>     >     >     inet6 ::1/128 scope host 
>     >     >
>     >     >        valid_lft forever preferred_lft forever
>     >     >
>     >     > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
>     >     >
>     >     >     link/ether 06:c6:4f:70:11:96 brd ff:ff:ff:ff:ff:ff
>     >     >
>     >     >     inet 172.31.26.241/20 <http://172.31.26.241/20> <http://172.31.26.241/20> <http://172.31.26.241/20> brd 172.31.31.255 scope global dynamic eth0
>     >     >
>     >     >        valid_lft 3175sec preferred_lft 3175sec
>     >     >
>     >     >     inet6 fe80::4c6:4fff:fe70:1196/64 scope link 
>     >     >
>     >     >        valid_lft forever preferred_lft forever
>     >     >
>     >     >
>     >     > [root at ip-172-31-26-241 ec2-user]# ip rule
>     >     >
>     >     > 0:from all lookup local 
>     >     >
>     >     > 220:from all lookup 220 
>     >     >
>     >     > 32766:from all lookup main 
>     >     >
>     >     > 32767:from all lookup default 
>     >     >
>     >     >
>     >     > [root at ip-172-31-26-241 ec2-user]# ip route show table all
>     >     >
>     >     > default via 172.31.16.1 dev eth0 
>     >     >
>     >     > 169.254.169.254 dev eth0 
>     >     >
>     >     > 172.31.16.0/20 <http://172.31.16.0/20> <http://172.31.16.0/20> <http://172.31.16.0/20> dev eth0 proto kernel scope link src 172.31.26.241 
>     >     >
>     >     > broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
>     >     >
>     >     > local 127.0.0.0/8 <http://127.0.0.0/8> <http://127.0.0.0/8> <http://127.0.0.0/8> dev lo table local proto kernel scope host src 127.0.0.1 
>     >     >
>     >     > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
>     >     >
>     >     > broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
>     >     >
>     >     > broadcast 172.31.16.0 dev eth0 table local proto kernel scope link src 172.31.26.241 
>     >     >
>     >     > local 172.31.26.241 dev eth0 table local proto kernel scope host src 172.31.26.241 
>     >     >
>     >     > broadcast 172.31.31.255 dev eth0 table local proto kernel scope link src 172.31.26.241 
>     >     >
>     >     > unreachable ::/96 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable ::ffff:0.0.0.0/96 <http://0.0.0.0/96> <http://0.0.0.0/96> <http://0.0.0.0/96> dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
>     >     >
>     >     > fe80::/64 dev eth0 proto kernel metric 256 pref medium
>     >     >
>     >     > local ::1 dev lo table local proto kernel metric 0 pref medium
>     >     >
>     >     > local fe80::4c6:4fff:fe70:1196 dev eth0 table local proto kernel metric 0 pref medium
>     >     >
>     >     > ff00::/8 dev eth0 table local metric 256 pref medium
>     >     >
>     >     >
>     >     > [root at ip-172-31-26-241 ec2-user]# sysctl net.ipv4.ip_forward
>     >     >
>     >     > net.ipv4.ip_forward = 1
>     >     >
>     >     > [root at ip-172-31-26-241 ec2-user]# sysctl net.ipv4.conf.eth0.forwarding
>     >     >
>     >     > net.ipv4.conf.eth0.forwarding = 1
>     >     >
>     >     >
>     >     > [root at ip-172-31-26-241 ec2-user]# ipsec statusall
>     >     >
>     >     > Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.14.154-128.181.amzn2.x86_64, x86_64):
>     >     >
>     >     >   uptime: 44 hours, since Nov 25 14:59:23 2019
>     >     >
>     >     >   malloc: sbrk 2011136, mmap 0, used 1176864, free 834272
>     >     >
>     >     >   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
>     >     >
>     >     >   loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
>     >     >
>     >     > Listening IP addresses:
>     >     >
>     >     >   172.31.26.241
>     >     >
>     >     > Connections:
>     >     >
>     >     >     ec2test2:  172.31.26.241...172.16.20.13  IKEv2
>     >     >
>     >     >     ec2test2:   local:  [172.31.26.241] uses pre-shared key authentication
>     >     >
>     >     >     ec2test2:   remote: [172.16.20.13] uses pre-shared key authentication
>     >     >
>     >     >     ec2test2:   child:  172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> TUNNEL
>     >     >
>     >     > Security Associations (1 up, 0 connecting):
>     >     >
>     >     >     ec2test2[11]: ESTABLISHED 7 seconds ago, 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]
>     >     >
>     >     >     ec2test2[11]: IKEv2 SPIs: c4285827f6b01567_i* 9bcdcf09c27084f4_r, pre-shared key reauthentication in 7 hours
>     >     >
>     >     >     ec2test2[11]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>     >     >
>     >     >     ec2test2{103}:  INSTALLED, TUNNEL, reqid 15, ESP in UDP SPIs: c46e6396_i cf7f1d99_o
>     >     >
>     >     >     ec2test2{103}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
>     >     >
>     >     >     ec2test2{103}:   172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>
>     >     >
>     >     >
>     >     > conn ec2test2
>     >     >
>     >     >         right=172.16.20.13
>     >     >
>     >     >         left=172.31.26.241
>     >     >
>     >     > leftfirewall=yes
>     >     >
>     >     > rightsubnet=172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>
>     >     >
>     >     > leftsubnet=172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32>
>     >     >
>     >     >  rightfirewall=yes
>     >     >
>     >     >         ike=aes256-sha1-modp1536!
>     >     >
>     >     >         keyexchange=ikev2
>     >     >
>     >     >         ikelifetime=28800s
>     >     >
>     >     >         esp=aes256-sha1-modp1536!
>     >     >
>     >     >         keylife=3600s
>     >     >
>     >     >         rekeymargin=540s
>     >     >
>     >     >         type=tunnel
>     >     >
>     >     >         compress=no
>     >     >
>     >     >         authby=secret
>     >     >
>     >     >         mark=%unique
>     >     >
>     >     >         auto=start
>     >     >
>     >     >         keyingtries=%forever
>     >     >
>     >     >         forceencaps=yes
>     >     >
>     >     >         mobike=no
>     >     >
>     >     >
>     >     >
>     >     > On Wed, Nov 27, 2019 at 5:39 AM Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>     >     >
>     >     >     Hello Matt,
>     >     >
>     >     >     That's still lacking the output of `ip address`, `ip rule` and `ip route show table all`.
>     >     >     Anyway, make sure forwarding is enabled on both hosts via `sysctl net.ipv4.ip_forward`
>     >     >     and for the interfaces involved `sysctl net.ipv4.conf.<interface>.forwarding`.
>     >     >     The values have to be set to 1.
>     >     >
>     >     >     Kind regards
>     >     >
>     >     >     Noel
>     >     >
>     >     >     Am 27.11.19 um 12:32 schrieb Matt Frederick:
>     >     >     > Hello, thanks for your reply. My apologies, please see firewall config below. Regarding the TS, it does define the two hosts I would like to connect over VPN. Currently I'm not trying to add networks; simply ping 172.16.20.24 from 172.31.18.117. I appreciate your help, matt
>     >     >     >
>     >     >     > # Generated by iptables-save v1.4.21 on Wed Nov 27 11:22:57 2019
>     >     >     >
>     >     >     > *filter
>     >     >     >
>     >     >     > :INPUT ACCEPT [2199:206359]
>     >     >     >
>     >     >     > :FORWARD ACCEPT [0:0]
>     >     >     >
>     >     >     > :OUTPUT ACCEPT [2080:231588]
>     >     >     >
>     >     >     > -A FORWARD -s 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> -d 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> -i eth0 -m policy --dir in --pol ipsec --reqid 14 --proto esp -j ACCEPT
>     >     >     >
>     >     >     > -A FORWARD -s 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> -d 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> -o eth0 -m policy --dir out --pol ipsec --reqid 14 --proto esp -j ACCEPT
>     >     >     >
>     >     >     > COMMIT
>     >     >     >
>     >     >     >
>     >     >     > [root at ip-172-31-26-241 ec2-user]# ip xfrm pol
>     >     >     >
>     >     >     > src 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> dst 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>     >     >     >
>     >     >     > dir out priority 367231 ptype main 
>     >     >     >
>     >     >     > mark 0xe/0xffffffff
>     >     >     >
>     >     >     > tmpl src 172.31.26.241 dst 172.16.20.13
>     >     >     >
>     >     >     > proto esp spi 0xc41b426a reqid 14 mode tunnel
>     >     >     >
>     >     >     > src 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> dst 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32>     >     >     >
>     >     >     > dir fwd priority 367231 ptype main 
>     >     >     >
>     >     >     > mark 0xe/0xffffffff
>     >     >     >
>     >     >     > tmpl src 172.16.20.13 dst 172.31.26.241
>     >     >     >
>     >     >     > proto esp reqid 14 mode tunnel
>     >     >     >
>     >     >     > src 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> dst 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32>     >     >     >
>     >     >     > dir in priority 367231 ptype main 
>     >     >     >
>     >     >     > mark 0xe/0xffffffff
>     >     >     >
>     >     >     > tmpl src 172.16.20.13 dst 172.31.26.241
>     >     >     >
>     >     >     > proto esp reqid 14 mode tunnel
>     >     >     >
>     >     >     >
>     >     >     > Security Associations (1 up, 0 connecting):
>     >     >     >
>     >     >     >     ec2test2[10]: ESTABLISHED 5 hours ago, 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]
>     >     >     >
>     >     >     >     ec2test2[10]: IKEv2 SPIs: 17e28b4e6d4717f3_i* d5c2d25c083280be_r, pre-shared key reauthentication in 2 hours
>     >     >     >
>     >     >     >     ec2test2[10]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>     >     >     >
>     >     >     >     ec2test2{101}:  INSTALLED, TUNNEL, reqid 14, ESP in UDP SPIs: ccf32809_i c41b426a_o
>     >     >     >
>     >     >     >     ec2test2{101}:  AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 4 minutes
>     >     >     >
>     >     >     >     ec2test2{101}:   172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > On Wed, Nov 27, 2019 at 1:43 AM Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>     >     >     >
>     >     >     >     Hello Matt,
>     >     >     >
>     >     >     >     >     ec2test2{73}:   172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>
>     >     >     >     Your TS only allows traffic between the IPs on the two hosts. To allow traffic between other subnets, they need to be included in the TS.
>     >     >     >
>     >     >     >     Also, please use the exact commands as shown on the HelpRequests[1] page to get useful debugging data.
>     >     >     >     iptables -L or -S isn't useful.
>     >     >     >
>     >     >     >     Kind regards
>     >     >     >
>     >     >     >     Noel
>     >     >     >
>     >     >     >     [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>     >     >     >
>     >     >     >     Am 26.11.19 um 16:46 schrieb Matt Frederick:
>     >     >     >     >
>     >     >     >     > Hi, I'm looking for some help with a VPN I have set up. This VPN connects two AWS VPCs, and is a learning opportunity for me, in preparation for a larger project next year.
>     >     >     >     >
>     >     >     >     > In this case, I have 4 computers, two being strongswan boxes, with two client machines. the layout is such:
>     >     >     >     >
>     >     >     >     > 172.16.20.24 <=> 172.16.20.13 <=> 172.31.26.241 <=> 172.31.18.117
>     >     >     >     >
>     >     >     >     > where 172.16.20.13 and 172.31.26.241 are strongswan boxes, with an IPSec tunnel between them. 172.16.20.24 and 172.16.20.13 can ping each other, and 172.31.26.241 and 172.31.18.117 can ping each other.
>     >     >     >     >
>     >     >     >     > 172.16.20.24 attempts to ping 172.31.18.117 over the tunnel.
>     >     >     >     >
>     >     >     >     > Currently, routing between the VPCs is limited to the strongswan boxes, to ensure that the client traffic traverses the tunnel.
>     >     >     >     >
>     >     >     >     > for this test, client machines are statically routing the target machine to the VPN machines, and when I ping from 18.117 to 20.24, I see the packet (twice in tcpdump) at 26.241, but it does not see traffic on the VPN, nor on the receiving side.
>     >     >     >     >
>     >     >     >     > thanks in advance, m
>     >     >     >     >
>     >     >     >     > All seems well, and the tunnels come up (conn ec2test2):
>     >     >     >     >
>     >     >     >     > Connections:
>     >     >     >     >     ec2test2:  172.31.26.241...172.16.20.13  IKEv2
>     >     >     >     >     ec2test2:   local:  [172.31.26.241] uses pre-shared key authentication
>     >     >     >     >     ec2test2:   remote: [172.16.20.13] uses pre-shared key authentication
>     >     >     >     >     ec2test2:   child:  172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> TUNNEL
>     >     >     >     > Security Associations (1 up, 0 connecting):
>     >     >     >     >     ec2test2[8]: ESTABLISHED 23 seconds ago, 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13]
>     >     >     >     >     ec2test2[8]: IKEv2 SPIs: e048424b128299d7_i* 5790cae7fadc96ff_r, pre-shared key reauthentication in 7 hours
>     >     >     >     >     ec2test2[8]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>     >     >     >     >     ec2test2{73}:  INSTALLED, TUNNEL, reqid 12, ESP in UDP SPIs: c1ce842f_i cc636877_o
>     >     >     >     >     ec2test2{73}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes
>     >     >     >     >     ec2test2{73}:   172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>
>     >     >     >     >
>     >     >     >     > ipsec.conf:
>     >     >     >     > conn ec2test2
>     >     >     >     >         right=172.16.20.13
>     >     >     >     >         left=172.31.26.241
>     >     >     >     > leftfirewall=yes
>     >     >     >     > rightsubnet=172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>
>     >     >     >     > leftsubnet=172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32>
>     >     >     >     >   rightfirewall=yes
>     >     >     >     >         ike=aes256-sha1-modp1536!
>     >     >     >     >         keyexchange=ikev2
>     >     >     >     >         ikelifetime=28800s
>     >     >     >     >         esp=aes256-sha1-modp1536!
>     >     >     >     >         keylife=3600s
>     >     >     >     >         rekeymargin=540s
>     >     >     >     >         type=tunnel
>     >     >     >     >         compress=no
>     >     >     >     >         authby=secret
>     >     >     >     >         mark=%unique
>     >     >     >     >         auto=start
>     >     >     >     >         keyingtries=%forever
>     >     >     >     >         forceencaps=yes
>     >     >     >     >         mobike=no
>     >     >     >     >
>     >     >     >     >
>     >     >     >     > firewall rules seem ok (they are added by strongswan):
>     >     >     >     > [root at ip-172-31-26-241 ec2-user]# iptables -S
>     >     >     >     > -P INPUT ACCEPT
>     >     >     >     > -P FORWARD ACCEPT
>     >     >     >     > -P OUTPUT ACCEPT
>     >     >     >     > -A FORWARD -s 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> -d 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> -i eth0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT
>     >     >     >     > -A FORWARD -s 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> -d 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> -o eth0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT
>     >     >     >     >
>     >     >     >     > [root at ip-172-31-26-241 ec2-user]# ip xfrm pol
>     >     >     >     > src 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> dst 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32>
>     >     >     >     > dir out priority 367231 ptype main
>     >     >     >     > mark 0xc/0xffffffff
>     >     >     >     > tmpl src 172.31.26.241 dst 172.16.20.13
>     >     >     >     > proto esp spi 0xcc636877 reqid 12 mode tunnel
>     >     >     >     > src 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> dst 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32>
>     >     >     >     > dir fwd priority 367231 ptype main
>     >     >     >     > mark 0xc/0xffffffff
>     >     >     >     > tmpl src 172.16.20.13 dst 172.31.26.241
>     >     >     >     > proto esp reqid 12 mode tunnel
>     >     >     >     > src 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> <http://172.16.20.24/32> dst 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32> <http://172.31.18.117/32>
>     >     >     >     > dir in priority 367231 ptype main
>     >     >     >     > mark 0xc/0xffffffff
>     >     >     >     > tmpl src 172.16.20.13 dst 172.31.26.241
>     >     >     >     > proto esp reqid 12 mode tunnel
>     >     >     >     > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>     >     >     >     > socket in priority 0 ptype main
>     >     >     >     > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>     >     >     >     > socket out priority 0 ptype main
>     >     >     >     > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>     >     >     >     > socket in priority 0 ptype main
>     >     >     >     > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>     >     >     >     > socket out priority 0 ptype main
>     >     >     >     > src ::/0 dst ::/0
>     >     >     >     > socket in priority 0 ptype main
>     >     >     >     > src ::/0 dst ::/0
>     >     >     >     > socket out priority 0 ptype main
>     >     >     >     > src ::/0 dst ::/0
>     >     >     >     > socket in priority 0 ptype main
>     >     >     >     > src ::/0 dst ::/0
>     >     >     >     > socket out priority 0 ptype main
>     >     >     >     >
>     >     >     >     > [root at ip-172-31-26-241 ec2-user]# ip xfrm state
>     >     >     >     > src 172.31.26.241 dst 172.16.20.13
>     >     >     >     > proto esp spi 0xcc636877 reqid 12 mode tunnel
>     >     >     >     > replay-window 0 flag af-unspec
>     >     >     >     > mark 0xc/0xffffffff
>     >     >     >     > auth-trunc hmac(sha1) 0xf323a6acb5a1517bba18285fa54a3d51e237a4de 96
>     >     >     >     > enc cbc(aes) 0xccb4bea13f0bf1a8fa24dac0de7dd73751005dc85a271a3f484bae125475808e
>     >     >     >     > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     >     >     >     > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>     >     >     >     > src 172.16.20.13 dst 172.31.26.241
>     >     >     >     > proto esp spi 0xc1ce842f reqid 12 mode tunnel
>     >     >     >     > replay-window 32 flag af-unspec
>     >     >     >     > auth-trunc hmac(sha1) 0xa6e93c716c71a248b716bcdf5c9d0bbf2266d40f 96
>     >     >     >     > enc cbc(aes) 0xffbeff56638b45c0d94bd33b1dfe9ded84aad68866bf1d44e9f01dc2eecf0660
>     >     >     >     > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     >     >     >     > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>     >     >     >     >
>     >     >     >     >
>     >     >     >     >
>     >     >     >     > *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.
>     >     >     >     >
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > --
>     >     >     >
>     >     >     > Matthew Frederick____
>     >     >     >
>     >     >     > matt at mpirik.com <mailto:matt at mpirik.com> <mailto:matt at mpirik.com <mailto:matt at mpirik.com>> <mailto:matt at mpirik.com <mailto:matt at mpirik.com> <mailto:matt at mpirik.com <mailto:matt at mpirik.com>>> <mailto:jim at mpirik.com <mailto:jim at mpirik.com> <mailto:jim at mpirik.com <mailto:jim at mpirik.com>> <mailto:jim at mpirik.com <mailto:jim at mpirik.com> <mailto:jim at mpirik.com <mailto:jim at mpirik.com>>>>____
>     >     >     >
>     >     >     > W +414.220.4384____
>     >     >     >
>     >     >     > https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mpirik.com&d=DwMFaQ&c=4mrNADMi6Tvf-kGUfW12lHtG2IOrmU6d6xRlApqgiGQ&r=IEBIr_2fBfdV1mXHBWue9rgiGBHw42iWfqNJ_h2ORgo&m=_-6x0Jigz5qgu8IWG_nP4oBRg7jqZDHFlT-4YTDZbS0&s=8VljVoezXqInFJE2LwcJvMmw8Q_VjSyD0D56ydR_bVM&e=>
>     >     >     >
>     >     >     >
>     >     >     > *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.
>     >     >     >
>     >     >
>     >     >
>     >     >
>     >     > --
>     >     >
>     >     > Matthew Frederick____
>     >     >
>     >     > matt at mpirik.com <mailto:matt at mpirik.com> <mailto:matt at mpirik.com <mailto:matt at mpirik.com>> <mailto:jim at mpirik.com <mailto:jim at mpirik.com> <mailto:jim at mpirik.com <mailto:jim at mpirik.com>>>____
>     >     >
>     >     > W +414.220.4384____
>     >     >
>     >     > https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mpirik.com&d=DwMFaQ&c=4mrNADMi6Tvf-kGUfW12lHtG2IOrmU6d6xRlApqgiGQ&r=IEBIr_2fBfdV1mXHBWue9rgiGBHw42iWfqNJ_h2ORgo&m=_-6x0Jigz5qgu8IWG_nP4oBRg7jqZDHFlT-4YTDZbS0&s=8VljVoezXqInFJE2LwcJvMmw8Q_VjSyD0D56ydR_bVM&e=>
>     >     >
>     >     >
>     >     > *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.
>     >     >
>     >
>     >
>     >
>     > --
>     >
>     > Matthew Frederick____
>     >
>     > matt at mpirik.com <mailto:matt at mpirik.com> <mailto:jim at mpirik.com <mailto:jim at mpirik.com>>____
>     >
>     > W +414.220.4384____
>     >
>     > https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mpirik.com&d=DwMFaQ&c=4mrNADMi6Tvf-kGUfW12lHtG2IOrmU6d6xRlApqgiGQ&r=IEBIr_2fBfdV1mXHBWue9rgiGBHw42iWfqNJ_h2ORgo&m=_-6x0Jigz5qgu8IWG_nP4oBRg7jqZDHFlT-4YTDZbS0&s=8VljVoezXqInFJE2LwcJvMmw8Q_VjSyD0D56ydR_bVM&e=>
>     >
>     >
>     > *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.
>     >
> 
> 
> 
> -- 
> 
> Matthew Frederick____
> 
> matt at mpirik.com <mailto:jim at mpirik.com>____
> 
> W +414.220.4384____
> 
> https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mpirik.com&d=DwMFaQ&c=4mrNADMi6Tvf-kGUfW12lHtG2IOrmU6d6xRlApqgiGQ&r=IEBIr_2fBfdV1mXHBWue9rgiGBHw42iWfqNJ_h2ORgo&m=_-6x0Jigz5qgu8IWG_nP4oBRg7jqZDHFlT-4YTDZbS0&s=8VljVoezXqInFJE2LwcJvMmw8Q_VjSyD0D56ydR_bVM&e=>
> 
> 
> *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191127/ee31fd4a/attachment-0001.sig>


More information about the Users mailing list