[strongSwan] Help with apparent routing failure on AWS
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 25 04:56:18 CEST 2019
Then it doesn't go into the tunnel.
> office-netcube{1}: 172.31.32.0/20 172.31.255.0/32 === 192.168.11.0/24
Is that right? See the /32. Shouldn't that be a /24?
Am 24.09.19 um 19:42 schrieb Doug Bell:
> I see the following while performing a ping from 172.31.255.138 -> 192.168.11.2
>
> # tcpdump -nnn udp and port 4500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
> 17:39:32.013973 IP 172.31.255.19.4500 > 112.199.95.138.4500: isakmp-nat-keep-alive
> 17:39:38.181171 IP 172.31.255.19.4500 > 112.199.95.138.4500: NONESP-encap: isakmp: child_sa inf2[I]
> 17:39:38.371873 IP 112.199.95.138.4500 > 172.31.255.19.4500: NONESP-encap: isakmp: child_sa inf2[R]
> 17:40:02.014470 IP 172.31.255.19.4500 > 112.199.95.138.4500: isakmp-nat-keep-alive
> 17:40:08.181036 IP 172.31.255.19.4500 > 112.199.95.138.4500: NONESP-encap: isakmp: child_sa inf2[I]
> 17:40:08.381724 IP 112.199.95.138.4500 > 172.31.255.19.4500: NONESP-encap: isakmp: child_sa inf2[R]
>
>
> On Fri, Sep 20, 2019 at 5:16 AM Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
> > office-netcube{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c319f8bf_i ce60b044_o
>
> Use `tcpdump -n udp and port 4500`
>
> Am 19.09.19 um 22:53 schrieb Doug Bell:
> > I have created an AWS instance running StrongSwan on Ubuntu to facilitate an IPSec tunnel back to an OPNSense firewall.
> >
> > AWS StrongSwan:
> > Internal IP: 172.31.255.19
> > External IP: 54.149.10.176
> > Internal Network: 172.31.255.0/24 <http://172.31.255.0/24> <http://172.31.255.0/24>
> > (I am also trying to use / route another AWS subnet of 172.31.32.0/20 <http://172.31.32.0/20> <http://172.31.32.0/20>)
> >
> > OPNsense firewall:
> > External IP: 112.199.95.138
> > Internal Network: 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24>
> >
> > I can get the tunnel to come up in what appears to be a correct fashion, but I cannot get any pings to go across the tunnel, regardless of source or destination. From another machine on the same subnet I added a proper route and security group and I was able to see the ICMP echo requests come in on the VPN gateway, but looking at 'tcpdump esp' the traffic does not appear to be going over the tunnel..
> >
> > 20:32:14.436042 IP 172.31.255.138 > 192.168.11.221 <http://192.168.11.221>: ICMP echo request, id 26635, seq 1, length 64
> > 20:32:14.436077 IP 172.31.255.138 > 192.168.11.221 <http://192.168.11.221>: ICMP echo request, id 26635, seq 1, length 64
> > 20:32:15.449498 IP 172.31.255.138 > 192.168.11.221 <http://192.168.11.221>: ICMP echo request, id 26635, seq 2, length 64
> >
> > I am not running any IP masquerading as I need the hosts on the different endpoints able to recognize the proper source IPs.
> >
> > Thank you for your assistance.
> >
> >
> > Here are some diagnostics:
> >
> > --ipsec.conf--
> > config setup
> > # strictcrlpolicy=yes
> > # uniqueids = no
> > #charonstart=yes
> >
> > # Add connections here.
> > conn sts-base
> > fragmentation=yes
> > dpdaction=restart
> > keyingtries=%forever
> > leftid=172.31.255.19
> > leftsubnet=172.31.255.0/32,172.31.32.0/20 <http://172.31.255.0/32,172.31.32.0/20> <http://172.31.255.0/32,172.31.32.0/20>
> > leftauth=psk
> > rightauth=psk
> >
> > conn office-netcube
> > also=sts-base
> > mobike=no
> > keyexchange=ikev2
> > ike=aes128-sha256-modp3072
> > esp=aes128-sha256-modp3072
> > right=112.199.95.138
> > rightsubnet=192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24>
> > installpolicy=yes
> > type=tunnel
> > auto=start
> > --end configuration--
> >
> >
> > # ipsec statusall
> > Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1050-aws, x86_64):
> > uptime: 2 minutes, since Sep 19 19:44:35 2019
> > malloc: sbrk 2568192, mmap 0, used 643504, free 1924688
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
> > loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> > Listening IP addresses:
> > 172.31.255.19
> > Connections:
> > office-netcube: %any...112.199.95.138 IKEv2, dpddelay=30s
> > office-netcube: local: [172.31.255.19] uses pre-shared key authentication
> > office-netcube: remote: [112.199.95.138] uses pre-shared key authentication
> > office-netcube: child: 172.31.255.0/32 <http://172.31.255.0/32> <http://172.31.255.0/32> 172.31.32.0/20 <http://172.31.32.0/20> <http://172.31.32.0/20> === 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24> TUNNEL, dpdaction=restart
> > Routed Connections:
> > office-netcube{2}: ROUTED, TUNNEL, reqid 1
> > office-netcube{2}: 172.31.32.0/20 <http://172.31.32.0/20> <http://172.31.32.0/20> 172.31.255.0/32 <http://172.31.255.0/32> <http://172.31.255.0/32> === 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24>
> > Security Associations (1 up, 0 connecting):
> > office-netcube[1]: ESTABLISHED 2 minutes ago, 172.31.255.19[172.31.255.19]...112.199.95.138[112.199.95.138]
> > office-netcube[1]: IKEv2 SPIs: c2c2cd729e85a9f2_i* 92478c72f25bd4a8_r, pre-shared key reauthentication in 2 hours
> > office-netcube[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
> > office-netcube{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c319f8bf_i ce60b044_o
> > office-netcube{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
> > office-netcube{1}: 172.31.32.0/20 <http://172.31.32.0/20> <http://172.31.32.0/20> 172.31.255.0/32 <http://172.31.255.0/32> <http://172.31.255.0/32> === 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24>
> >
> > # ip addr list
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 <http://127.0.0.1/8> <http://127.0.0.1/8> scope host lo
> > valid_lft forever preferred_lft forever
> > inet6 ::1/128 scope host
> > valid_lft forever preferred_lft forever
> > 2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
> > link/ether 06:07:f8:50:8b:96 brd ff:ff:ff:ff:ff:ff
> > inet 172.31.255.19/24 <http://172.31.255.19/24> <http://172.31.255.19/24> brd 172.31.255.255 scope global dynamic ens5
> > valid_lft 3340sec preferred_lft 3340sec
> > inet6 fe80::407:f8ff:fe50:8b96/64 scope link
> > valid_lft forever preferred_lft forever
> >
> > # ip route show table all
> > default via 172.31.255.1 dev ens5 proto dhcp src 172.31.255.19 metric 100
> > 172.31.255.0/24 <http://172.31.255.0/24> <http://172.31.255.0/24> dev ens5 proto kernel scope link src 172.31.255.19
> > 172.31.255.1 dev ens5 proto dhcp scope link src 172.31.255.19 metric 100
> > broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
> > local 127.0.0.0/8 <http://127.0.0.0/8> <http://127.0.0.0/8> dev lo table local proto kernel scope host src 127.0.0.1
> > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> > broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
> > broadcast 172.31.255.0 dev ens5 table local proto kernel scope link src 172.31.255.19
> > local 172.31.255.19 dev ens5 table local proto kernel scope host src 172.31.255.19
> > broadcast 172.31.255.255 dev ens5 table local proto kernel scope link src 172.31.255.19
> > local ::1 dev lo proto kernel metric 256 pref medium
> > fe80::/64 dev ens5 proto kernel metric 256 pref medium
> > local ::1 dev lo table local proto kernel metric 0 pref medium
> > local fe80::407:f8ff:fe50:8b96 dev ens5 table local proto kernel metric 0 pref medium
> > ff00::/8 dev ens5 table local metric 256 pref medium
> >
> > # ip xfrm policy show
> > src 172.31.255.0/32 <http://172.31.255.0/32> <http://172.31.255.0/32> dst 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24>
> > dir out priority 371327
> > tmpl src 172.31.255.19 dst 112.199.95.138
> > proto esp spi 0xce60b044 reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24> dst 172.31.255.0/32 <http://172.31.255.0/32> <http://172.31.255.0/32>
> > dir fwd priority 371327
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24> dst 172.31.255.0/32 <http://172.31.255.0/32> <http://172.31.255.0/32>
> > dir in priority 371327
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 172.31.32.0/20 <http://172.31.32.0/20> <http://172.31.32.0/20> dst 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24>
> > dir out priority 377471
> > tmpl src 172.31.255.19 dst 112.199.95.138
> > proto esp spi 0xce60b044 reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24> dst 172.31.32.0/20 <http://172.31.32.0/20> <http://172.31.32.0/20>
> > dir fwd priority 377471
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 192.168.11.0/24 <http://192.168.11.0/24> <http://192.168.11.0/24> dst 172.31.32.0/20 <http://172.31.32.0/20> <http://172.31.32.0/20>
> > dir in priority 377471
> > tmpl src 112.199.95.138 dst 172.31.255.19
> > proto esp reqid 1 mode tunnel
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket in priority 0
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket out priority 0
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket in priority 0
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket out priority 0
> > src ::/0 dst ::/0
> > socket in priority 0
> > src ::/0 dst ::/0
> > socket out priority 0
> > src ::/0 dst ::/0
> > socket in priority 0
> > src ::/0 dst ::/0
> > socket out priority 0
> >
> > # iptables-save
> > # Generated by iptables-save v1.6.1 on Thu Sep 19 20:44:46 2019
> > *filter
> > :INPUT ACCEPT [2151:364680]
> > :FORWARD ACCEPT [24:2016]
> > :OUTPUT ACCEPT [2132:344479]
> > COMMIT
> > # Completed on Thu Sep 19 20:44:46 2019
> >
> > # ip rule
> > 0: from all lookup local
> > 220: from all lookup 220
> > 32766: from all lookup main
> > 32767: from all lookup default
> >
> > # egrep -v "(^$|#)" /etc/sysctl.conf
> > net.ipv4.ip_forward=1
> > net.ipv4.conf.all.accept_redirects = 0
> > net.ipv4.conf.all.secure_redirects = 0
> > net.ipv4.conf.default.accept_redirects = 0
> > net.ipv4.conf.default.secure_redirects = 0
> > net.ipv4.conf.all.send_redirects = 0
> > net.ipv4.conf.default.send_redirects = 0
> > net.ipv4.conf.ens5.send_redirects = 0
> > net.ipv4.conf.all.accept_source_route = 0
> > net.ipv4.conf.all.log_martians = 1
> > net.ipv4.icmp_echo_ignore_broadcasts = 1
> > net.ipv4.conf.default.accept_source_route = 0
> > net.ipv4.icmp_ignore_bogus_error_responses = 1
> > net.ipv4.tcp_syncookies = 1
> > net.ipv4.conf.all.rp_filter = 1
> > net.ipv4.conf.default.rp_filter = 1
> > net.ipv4.tcp_mtu_probing = 1
> >
> > --
> > Doug Bell
>
>
>
> --
> Doug Bell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190925/60db24dd/attachment.sig>
More information about the Users
mailing list