[strongSwan] Help with apparent routing failure on AWS

Doug Bell bdbell at gmail.com
Thu Sep 19 22:54:59 CEST 2019


I have created an AWS instance running StrongSwan on Ubuntu to facilitate
an IPSec tunnel back to an OPNSense firewall.

AWS StrongSwan:
Internal IP: 172.31.255.19
External IP: 54.149.10.176
Internal Network: 172.31.255.0/24
(I am also trying to use / route another AWS subnet of 172.31.32.0/20)

OPNsense firewall:
External IP: 112.199.95.138
Internal Network: 192.168.11.0/24

I can get the tunnel to come up in what appears to be a correct fashion,
but I cannot get any pings to go across the tunnel, regardless of source or
destination.  From another machine on the same subnet I added a proper
route and security group and I was able to see the ICMP echo requests come
in on the VPN gateway, but looking at 'tcpdump esp' the traffic does not
appear to be going over the tunnel..

20:32:14.436042 IP 172.31.255.138 > 192.168.11.221: ICMP echo request, id
26635, seq 1, length 64
20:32:14.436077 IP 172.31.255.138 > 192.168.11.221: ICMP echo request, id
26635, seq 1, length 64
20:32:15.449498 IP 172.31.255.138 > 192.168.11.221: ICMP echo request, id
26635, seq 2, length 64

I am not running any IP masquerading as I need the hosts on the different
endpoints able to recognize the proper source IPs.

Thank you for your assistance.


Here are some diagnostics:

--ipsec.conf--
config setup
# strictcrlpolicy=yes
# uniqueids = no
    #charonstart=yes

# Add connections here.
conn sts-base
    fragmentation=yes
    dpdaction=restart
    keyingtries=%forever
    leftid=172.31.255.19
    leftsubnet=172.31.255.0/32,172.31.32.0/20
    leftauth=psk
    rightauth=psk

conn office-netcube
    also=sts-base
    mobike=no
    keyexchange=ikev2
    ike=aes128-sha256-modp3072
    esp=aes128-sha256-modp3072
    right=112.199.95.138
    rightsubnet=192.168.11.0/24
    installpolicy=yes
    type=tunnel
    auto=start
--end configuration--


# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1050-aws,
x86_64):
  uptime: 2 minutes, since Sep 19 19:44:35 2019
  malloc: sbrk 2568192, mmap 0, used 643504, free 1924688
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  172.31.255.19
Connections:
office-netcube:  %any...112.199.95.138  IKEv2, dpddelay=30s
office-netcube:   local:  [172.31.255.19] uses pre-shared key authentication
office-netcube:   remote: [112.199.95.138] uses pre-shared key
authentication
office-netcube:   child:  172.31.255.0/32 172.31.32.0/20 ===
192.168.11.0/24 TUNNEL,
dpdaction=restart
Routed Connections:
office-netcube{2}:  ROUTED, TUNNEL, reqid 1
office-netcube{2}:   172.31.32.0/20 172.31.255.0/32 === 192.168.11.0/24
Security Associations (1 up, 0 connecting):
office-netcube[1]: ESTABLISHED 2 minutes ago,
172.31.255.19[172.31.255.19]...112.199.95.138[112.199.95.138]
office-netcube[1]: IKEv2 SPIs: c2c2cd729e85a9f2_i* 92478c72f25bd4a8_r,
pre-shared key reauthentication in 2 hours
office-netcube[1]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
office-netcube{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c319f8bf_i
ce60b044_o
office-netcube{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 40 minutes
office-netcube{1}:   172.31.32.0/20 172.31.255.0/32 === 192.168.11.0/24

# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group
default qlen 1000
    link/ether 06:07:f8:50:8b:96 brd ff:ff:ff:ff:ff:ff
    inet 172.31.255.19/24 brd 172.31.255.255 scope global dynamic ens5
       valid_lft 3340sec preferred_lft 3340sec
    inet6 fe80::407:f8ff:fe50:8b96/64 scope link
       valid_lft forever preferred_lft forever

# ip route show table all
default via 172.31.255.1 dev ens5 proto dhcp src 172.31.255.19 metric 100
172.31.255.0/24 dev ens5 proto kernel scope link src 172.31.255.19
172.31.255.1 dev ens5 proto dhcp scope link src 172.31.255.19 metric 100
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src
127.0.0.1
broadcast 172.31.255.0 dev ens5 table local proto kernel scope link src
172.31.255.19
local 172.31.255.19 dev ens5 table local proto kernel scope host src
172.31.255.19
broadcast 172.31.255.255 dev ens5 table local proto kernel scope link src
172.31.255.19
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::407:f8ff:fe50:8b96 dev ens5 table local proto kernel metric 0
pref medium
ff00::/8 dev ens5 table local metric 256 pref medium

# ip xfrm policy show
src 172.31.255.0/32 dst 192.168.11.0/24
dir out priority 371327
tmpl src 172.31.255.19 dst 112.199.95.138
proto esp spi 0xce60b044 reqid 1 mode tunnel
src 192.168.11.0/24 dst 172.31.255.0/32
dir fwd priority 371327
tmpl src 112.199.95.138 dst 172.31.255.19
proto esp reqid 1 mode tunnel
src 192.168.11.0/24 dst 172.31.255.0/32
dir in priority 371327
tmpl src 112.199.95.138 dst 172.31.255.19
proto esp reqid 1 mode tunnel
src 172.31.32.0/20 dst 192.168.11.0/24
dir out priority 377471
tmpl src 172.31.255.19 dst 112.199.95.138
proto esp spi 0xce60b044 reqid 1 mode tunnel
src 192.168.11.0/24 dst 172.31.32.0/20
dir fwd priority 377471
tmpl src 112.199.95.138 dst 172.31.255.19
proto esp reqid 1 mode tunnel
src 192.168.11.0/24 dst 172.31.32.0/20
dir in priority 377471
tmpl src 112.199.95.138 dst 172.31.255.19
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0

# iptables-save
# Generated by iptables-save v1.6.1 on Thu Sep 19 20:44:46 2019
*filter
:INPUT ACCEPT [2151:364680]
:FORWARD ACCEPT [24:2016]
:OUTPUT ACCEPT [2132:344479]
COMMIT
# Completed on Thu Sep 19 20:44:46 2019

# ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default

# egrep -v "(^$|#)" /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.ens5.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_mtu_probing = 1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190919/e47305ad/attachment.html>


More information about the Users mailing list