[strongSwan] Help with apparent routing failure on AWS

Doug Bell doug at firefamily.net
Tue Sep 24 19:42:12 CEST 2019 

I see the following while performing a ping from 172.31.255.138 ->
192.168.11.2

# tcpdump -nnn udp and port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
17:39:32.013973 IP 172.31.255.19.4500 > 112.199.95.138.4500:
isakmp-nat-keep-alive
17:39:38.181171 IP 172.31.255.19.4500 > 112.199.95.138.4500: NONESP-encap:
isakmp: child_sa  inf2[I]
17:39:38.371873 IP 112.199.95.138.4500 > 172.31.255.19.4500: NONESP-encap:
isakmp: child_sa  inf2[R]
17:40:02.014470 IP 172.31.255.19.4500 > 112.199.95.138.4500:
isakmp-nat-keep-alive
17:40:08.181036 IP 172.31.255.19.4500 > 112.199.95.138.4500: NONESP-encap:
isakmp: child_sa  inf2[I]
17:40:08.381724 IP 112.199.95.138.4500 > 172.31.255.19.4500: NONESP-encap:
isakmp: child_sa  inf2[R]


On Fri, Sep 20, 2019 at 5:16 AM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> > office-netcube{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> c319f8bf_i ce60b044_o
>
> Use `tcpdump -n udp and port 4500`
>
> Am 19.09.19 um 22:53 schrieb Doug Bell:
> > I have created an AWS instance running StrongSwan on Ubuntu to
> facilitate an IPSec tunnel back to an OPNSense firewall.
> >
> > AWS StrongSwan:
> > Internal IP: 172.31.255.19
> > External IP: 54.149.10.176
> > Internal Network: 172.31.255.0/24 <http://172.31.255.0/24>
> > (I am also trying to use / route another AWS subnet of 172.31.32.0/20 <
> http://172.31.32.0/20>)
> >
> > OPNsense firewall:
> > External IP: 112.199.95.138
> > Internal Network: 192.168.11.0/24 <http://192.168.11.0/24>
> >
> > I can get the tunnel to come up in what appears to be a correct fashion,
> but I cannot get any pings to go across the tunnel, regardless of source or
> destination.  From another machine on the same subnet I added a proper
> route and security group and I was able to see the ICMP echo requests come
> in on the VPN gateway, but looking at 'tcpdump esp' the traffic does not
> appear to be going over the tunnel..
> >
> > 20:32:14.436042 IP 172.31.255.138 > 192.168.11.221 <
> http://192.168.11.221>: ICMP echo request, id 26635, seq 1, length 64
> > 20:32:14.436077 IP 172.31.255.138 > 192.168.11.221 <
> http://192.168.11.221>: ICMP echo request, id 26635, seq 1, length 64
> > 20:32:15.449498 IP 172.31.255.138 > 192.168.11.221 <
> http://192.168.11.221>: ICMP echo request, id 26635, seq 2, length 64
> >
> > I am not running any IP masquerading as I need the hosts on the
> different endpoints able to recognize the proper source IPs.
> >
> > Thank you for your assistance.
> >
> >
> > Here are some diagnostics:
> >
> > --ipsec.conf--
> > config setup
> > # strictcrlpolicy=yes
> > # uniqueids = no
> >     #charonstart=yes
> >
> > # Add connections here.
> > conn sts-base
> >     fragmentation=yes
> >     dpdaction=restart
> >     keyingtries=%forever
> >     leftid=172.31.255.19
> >     leftsubnet=172.31.255.0/32,172.31.32.0/20 <
> http://172.31.255.0/32,172.31.32.0/20>
> >     leftauth=psk
> >     rightauth=psk
> >
> > conn office-netcube
> >     also=sts-base
> >     mobike=no
> >     keyexchange=ikev2
> >     ike=aes128-sha256-modp3072
> >     esp=aes128-sha256-modp3072
> >     right=112.199.95.138
> >     rightsubnet=192.168.11.0/24 <http://192.168.11.0/24>
> >     installpolicy=yes
> >     type=tunnel
> >     auto=start
> > --end configuration--
> >
> >
> > # ipsec statusall
> > Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1050-aws,
> x86_64):
> >   uptime: 2 minutes, since Sep 19 19:44:35 2019
> >   malloc: sbrk 2568192, mmap 0, used 643504, free 1924688
> >   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 4
> >   loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2
> xauth-generic counters
> > Listening IP addresses:
> >   172.31.255.19
> > Connections:
> > office-netcube:  %any...112.199.95.138  IKEv2, dpddelay=30s
> > office-netcube:   local:  [172.31.255.19] uses pre-shared key
> authentication
> > office-netcube:   remote: [112.199.95.138] uses pre-shared key
> authentication
> > office-netcube:   child:  172.31.255.0/32 <http://172.31.255.0/32>
> 172.31.32.0/20 <http://172.31.32.0/20> === 192.168.11.0/24 <
> http://192.168.11.0/24> TUNNEL, dpdaction=restart
> > Routed Connections:
> > office-netcube{2}:  ROUTED, TUNNEL, reqid 1
> > office-netcube{2}:   172.31.32.0/20 <http://172.31.32.0/20>
> 172.31.255.0/32 <http://172.31.255.0/32> === 192.168.11.0/24 <
> http://192.168.11.0/24>
> > Security Associations (1 up, 0 connecting):
> > office-netcube[1]: ESTABLISHED 2 minutes ago,
> 172.31.255.19[172.31.255.19]...112.199.95.138[112.199.95.138]
> > office-netcube[1]: IKEv2 SPIs: c2c2cd729e85a9f2_i* 92478c72f25bd4a8_r,
> pre-shared key reauthentication in 2 hours
> > office-netcube[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
> > office-netcube{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> c319f8bf_i ce60b044_o
> > office-netcube{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 40 minutes
> > office-netcube{1}:   172.31.32.0/20 <http://172.31.32.0/20>
> 172.31.255.0/32 <http://172.31.255.0/32> === 192.168.11.0/24 <
> http://192.168.11.0/24>
> >
> > # ip addr list
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
> >        valid_lft forever preferred_lft forever
> >     inet6 ::1/128 scope host
> >        valid_lft forever preferred_lft forever
> > 2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
> group default qlen 1000
> >     link/ether 06:07:f8:50:8b:96 brd ff:ff:ff:ff:ff:ff
> >     inet 172.31.255.19/24 <http://172.31.255.19/24> brd 172.31.255.255
> scope global dynamic ens5
> >        valid_lft 3340sec preferred_lft 3340sec
> >     inet6 fe80::407:f8ff:fe50:8b96/64 scope link
> >        valid_lft forever preferred_lft forever
> >
> > # ip route show table all
> > default via 172.31.255.1 dev ens5 proto dhcp src 172.31.255.19 metric 100
> > 172.31.255.0/24 <http://172.31.255.0/24> dev ens5 proto kernel scope
> link src 172.31.255.19
> > 172.31.255.1 dev ens5 proto dhcp scope link src 172.31.255.19 metric 100
> > broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> > local 127.0.0.0/8 <http://127.0.0.0/8> dev lo table local proto kernel
> scope host src 127.0.0.1
> > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> > broadcast 127.255.255.255 dev lo table local proto kernel scope link src
> 127.0.0.1
> > broadcast 172.31.255.0 dev ens5 table local proto kernel scope link src
> 172.31.255.19
> > local 172.31.255.19 dev ens5 table local proto kernel scope host src
> 172.31.255.19
> > broadcast 172.31.255.255 dev ens5 table local proto kernel scope link
> src 172.31.255.19
> > local ::1 dev lo proto kernel metric 256 pref medium
> > fe80::/64 dev ens5 proto kernel metric 256 pref medium
> > local ::1 dev lo table local proto kernel metric 0 pref medium
> > local fe80::407:f8ff:fe50:8b96 dev ens5 table local proto kernel metric
> 0 pref medium
> > ff00::/8 dev ens5 table local metric 256 pref medium
> >
> > # ip xfrm policy show
> > src 172.31.255.0/32 <http://172.31.255.0/32> dst 192.168.11.0/24 <
> http://192.168.11.0/24>
> > dir out priority 371327
> > tmpl src 172.31.255.19 dst 112.199.95.138
> > proto esp spi 0xce60b044 reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.255.0/32 <
> http://172.31.255.0/32>
> > dir fwd priority 371327
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.255.0/32 <
> http://172.31.255.0/32>
> > dir in priority 371327
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 172.31.32.0/20 <http://172.31.32.0/20> dst 192.168.11.0/24 <
> http://192.168.11.0/24>
> > dir out priority 377471
> > tmpl src 172.31.255.19 dst 112.199.95.138
> > proto esp spi 0xce60b044 reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.32.0/20 <
> http://172.31.32.0/20>
> > dir fwd priority 377471
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> dst 172.31.32.0/20 <
> http://172.31.32.0/20>
> > dir in priority 377471
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket in priority 0
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket out priority 0
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket in priority 0
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> > socket out priority 0
> > src ::/0 dst ::/0
> > socket in priority 0
> > src ::/0 dst ::/0
> > socket out priority 0
> > src ::/0 dst ::/0
> > socket in priority 0
> > src ::/0 dst ::/0
> > socket out priority 0
> >
> > # iptables-save
> > # Generated by iptables-save v1.6.1 on Thu Sep 19 20:44:46 2019
> > *filter
> > :INPUT ACCEPT [2151:364680]
> > :FORWARD ACCEPT [24:2016]
> > :OUTPUT ACCEPT [2132:344479]
> > COMMIT
> > # Completed on Thu Sep 19 20:44:46 2019
> >
> > # ip rule
> > 0: from all lookup local
> > 220: from all lookup 220
> > 32766: from all lookup main
> > 32767: from all lookup default
> >
> > # egrep -v "(^$|#)" /etc/sysctl.conf
> > net.ipv4.ip_forward=1
> > net.ipv4.conf.all.accept_redirects = 0
> > net.ipv4.conf.all.secure_redirects = 0
> > net.ipv4.conf.default.accept_redirects = 0
> > net.ipv4.conf.default.secure_redirects = 0
> > net.ipv4.conf.all.send_redirects = 0
> > net.ipv4.conf.default.send_redirects = 0
> > net.ipv4.conf.ens5.send_redirects = 0
> > net.ipv4.conf.all.accept_source_route = 0
> > net.ipv4.conf.all.log_martians = 1
> > net.ipv4.icmp_echo_ignore_broadcasts = 1
> > net.ipv4.conf.default.accept_source_route = 0
> > net.ipv4.icmp_ignore_bogus_error_responses = 1
> > net.ipv4.tcp_syncookies = 1
> > net.ipv4.conf.all.rp_filter = 1
> > net.ipv4.conf.default.rp_filter = 1
> > net.ipv4.tcp_mtu_probing = 1
> >
> > --
> > Doug Bell
>
>

-- 
Doug Bell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190924/964bd497/attachment-0001.html>

More information about the Users mailing list