[strongSwan] Problem with tunnel half-working

Bertucci Roberto Roberto.Bertucci at itdsolutions.it
Thu Oct 31 14:06:28 CET 2019


Thank you for your answer, here it is requested output.

# Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
*nat
:PREROUTING ACCEPT [4751:549595]
:INPUT ACCEPT [2337:146691]
:OUTPUT ACCEPT [156:11302]
:POSTROUTING ACCEPT [29:2308]
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT
# Completed on Thu Oct 31 13:05:37 2019
# Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
*filter
:INPUT ACCEPT [2260:129224]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [111797:10736526]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens4 -j ACCEPT
-A INPUT -i ens3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens4 -o ens3 -j ACCEPT
-A FORWARD -i ens3 -o ens4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 31 13:05:37 2019



Il giorno 31/10/19, 13:35 "Noel Kuntze" <noel.kuntze+strongswan-users-ml at thermi.consulting> ha scritto:

    Hello Roberto,
    
    Please provide the output of `iptables-save`.
    
    Kind regards
    
    Noel
    
    Am 30.10.19 um 23:46 schrieb Bertucci Roberto:
    > Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.
    > 
    > Site A is the one with StrongSwan server and Site B is the one with ASA.
    > 
    > Site A is Ubuntu 19.10
    > 
    >  
    > 
    > Ipsec tunnel raises up and stays up nicely.
    > 
    >  
    > 
    > Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn the gateway router nats with YYY.YYY.YYY.YYY address.
    > 
    > Site B internal network is 192.168.0.0/23
    > 
    >  
    > 
    > This ping works:
    > 
    > 192.168.1.XXX -à10.0.1.YYYY
    > 
    >  
    > 
    > This ping does not work:
    > 
    > 10.0.1.YYYY -à192.168.1.XXX
    > 
    >  
    > 
    > If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are routed through internet connection and not through tunnel.
    > 
    >  
    > 
    > These are configuration and system status of StrongSwan server.
    > 
    >  
    > 
    > ==== sysctl.conf ====
    > 
    > net.ipv4.ip_forward=1
    > 
    > net.ipv4.conf.all.accept_redirects =0
    > 
    > net.ipv4.conf.all.send_redirects =0
    > 
    >  
    > 
    > ==== strongswan.conf ====
    > 
    > charon {
    > 
    >        load_modular = yes
    > 
    >        #install_routes = no
    > 
    >        plugins {
    > 
    >              include strongswan.d/charon/*.conf
    > 
    >        }
    > 
    > }
    > 
    >  
    > 
    > ==== ipsec.conf ====
    > 
    > config setup
    > 
    >         #charondebug="all 2"
    > 
    >         charondebug="cfg 2"
    > 
    >         uniqueids=yes
    > 
    >         strictcrlpolicy=no
    > 
    >  
    > 
    > conn %default
    > 
    >         ikelifetime=1440m
    > 
    >         keylife=60m
    > 
    >         rekeymargin=3m
    > 
    >         keyingtries=1
    > 
    >         keyexchange=ikev1
    > 
    >         authby=secret
    > 
    >  
    > 
    > conn spc-to-varazze
    > 
    >        left=10.0.0.100
    > 
    >        #leftfirewall=yes
    > 
    >        leftsubnet=10.0.1.0/24
    > 
    >        right=XXX.XXX.XXX.XXX
    > 
    >        rightsubnet=192.168.0.0/23
    > 
    >        auto=start
    > 
    >        ike=aes256-sha1-modp1024
    > 
    >        esp=aes256-sha1-modp1024
    > 
    >  
    > 
    > ==== xfrm status ====
    > 
    > root at router:/etc# ip -s xfrm state
    > 
    > src 10.0.0.100 dst XXX.XXX.XXX.XXX
    > 
    >        proto esp spi 0x6a05615e(1778737502) reqid 1(0x00000001) mode tunnel
    > 
    >        replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
    > 
    >        auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 bits) 96
    > 
    >        enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)
    > 
    >        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    > 
    >        anti-replay context: seq 0x0, oseq 0x529, bitmap 0x00000000
    > 
    >        lifetime config:
    > 
    >          limit: soft (INF)(bytes), hard (INF)(bytes)
    > 
    >          limit: soft (INF)(packets), hard (INF)(packets)
    > 
    >          expire add: soft 3414(sec), hard 3600(sec)
    > 
    >          expire use: soft 0(sec), hard 0(sec)
    > 
    >        lifetime current:
    > 
    >          79260(bytes), 1321(packets)
    > 
    >          add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
    > 
    >        stats:
    > 
    >          replay-window 0 replay 0 failed 0
    > 
    > src XXX.XXX.XXX.XXX dst 10.0.0.100
    > 
    >        proto esp spi 0xcf6665c0(3479594432) reqid 1(0x00000001) mode tunnel
    > 
    >        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    > 
    >        auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 bits) 96
    > 
    >        enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)
    > 
    >        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    > 
    >        anti-replay context: seq 0x529, oseq 0x0, bitmap 0xffffffff
    > 
    >        lifetime config:
    > 
    >          limit: soft (INF)(bytes), hard (INF)(bytes)
    > 
    >          limit: soft (INF)(packets), hard (INF)(packets)
    > 
    >          expire add: soft 3407(sec), hard 3600(sec)
    > 
    >          expire use: soft 0(sec), hard 0(sec)
    > 
    >        lifetime current:
    > 
    >          79260(bytes), 1321(packets)
    > 
    >          add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
    > 
    >        stats:
    > 
    >          replay-window 0 replay 0 failed 0
    > 
    >  
    > 
    > ==== iptables and ufw status ====
    > 
    > root at router:/etc# iptables -L
    > 
    > Chain INPUT (policy ACCEPT)
    > 
    > target     prot opt source               destination         
    > 
    > ACCEPT     all  --  anywhere             anywhere            
    > 
    > ACCEPT     all  --  anywhere             anywhere            
    > 
    > ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    > 
    >  
    > 
    > Chain FORWARD (policy ACCEPT)
    > 
    > target     prot opt source               destination         
    > 
    > ACCEPT     all  --  anywhere             anywhere            
    > 
    > ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    > 
    >  
    > 
    > Chain OUTPUT (policy ACCEPT)
    > 
    > target     prot opt source               destination         
    > 
    > root at router:/etc# ufw status
    > 
    > Status: inactive
    > 
    > r
    > 
    >  
    > 
    > I’ve done a lot of searches but no one of the aswers i found was useful.
    > 
    >  
    > 
    > Any help/suggestion will be welcome.
    > 
    >  
    > 
    > RB
    > 
    >  
    > 
    
    



More information about the Users mailing list