'[strongSwan] Site-to-site VPN traffic is being blocked'

[prev in list] [next in list] [prev in thread] [next in thread] 

List: strongswan-users
Subject: [strongSwan] Site-to-site VPN traffic is being blocked
From: Justin Michael Schwartzbeck <justinmschw () gmail ! com>
Date: 2014-10-30 15:34:10
Message-ID: CAGEc96=QcW9fps1oSQ2fHak=akzqcMy2yxCsmW-pGyrJF+sWPA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

Hi,

I am trying to set up a site-to-site VPN. Endpoint 1 is the strongswan
server that I am trying to set up to connect to endpoint 2 with
site-to-site vpn. Endpoint 1 IP is 10.0.2.227 here and endpoint 2 is
10.0.2.210. I am currently able to connect endpoint 1 to the Endpoint 2
over site-to-site VPN successfully, however traffic does not appear to be
getting forwarded. Here is my connection in ipsec.conf for endpoint 1:

conn net-net
    ikelifetime`m
    keylife m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    mobike=no
    left.0.2.227
    leftcert=server.crt.pem
    leftid=%any
    leftsubnet.0.2.128/25
    leftfirewall=yes
    right.0.2.210
    rightid=%any
    leftauth=rsa
    rightauth=rsa
    rightsubnet2.168.1.0/24
    rekey=no
    reauth=no
    dpddelay
    dpdtimeout0
    dpdaction=clear
    autod

When I connect I get the following output:

initiating IKE_SA net-net[4] to 10.0.2.210
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.2.227[500] to 10.0.2.210[500] (708 bytes)
received packet: from 10.0.2.210[500] to 10.0.2.227[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA net-net[4] to 10.0.2.210
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.2.227[500] to 10.0.2.210[500] (580 bytes)
received packet: from 10.0.2.210[500] to 10.0.2.227[500] (377 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
CERTREQ ]
received cert request for "C=US, STÊlifornia, L=AnyTown, O=mycompany,
OU=NET, CN=mycompany"
received 1 cert requests for an unknown ca
sending cert request for "C=US, STÊlifornia, L=AnyTown, O=mycompany,
OU=NET, CN=mycompany"
authentication of 'CN=sts-endpoint-1.mycompany.com, O=mycompany' (myself)
with RSA signature successful
sending end entity cert "CN=sts-endpoint-1.mycompany.com, O=mycompany"
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr
N(EAP_ONLY) ]
sending packet: from 10.0.2.227[500] to 10.0.2.210[500] (1204 bytes)
received packet: from 10.0.2.210[500] to 10.0.2.227[500] (1340 bytes)
parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(SET_WINSIZE)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
received end entity cert "CN=sts-endpoint-2.mycompany.com, O=mycompany"
  using certificate "CN=sts-endpoint-2.mycompany.com, O=mycompany"
  using trusted ca certificate "C=US, STÊlifornia, L=AnyTown,
O=mycompany, OU=NET, CN=mycompany"
checking certificate status of "CN=sts-endpoint-2.mycompany.com,
O=mycompany"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'CN=sts-endpoint-2.mycompany.com, O=mycompany' with RSA
signature successful
IKE_SA net-net[4] established between 10.0.2.227[CNsts-endpoint-1.mycompany.com, \
O=mycompany]...10.0.2.210[CNsts-endpoint-2.mycompany.com, O=mycompany] received \
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding CHILD_SA net-net{4} \
established with SPIs ce060f84_i 67e92e0f_o and TS 10.0.2.128/25 === 192.168.1.0/24
connection 'net-net' established successfully

Here is my ip xfrm policy output:

src 192.168.1.0/24 dst 10.0.2.128/25
    dir fwd priority 2879 ptype main
    tmpl src 10.0.2.210 dst 10.0.2.227
        proto esp reqid 4 mode tunnel
src 192.168.1.0/24 dst 10.0.2.128/25
    dir in priority 2879 ptype main
    tmpl src 10.0.2.210 dst 10.0.2.227
        proto esp reqid 4 mode tunnel
src 10.0.2.128/25 dst 192.168.1.0/24
    dir out priority 2879 ptype main
    tmpl src 10.0.2.227 dst 10.0.2.210
        proto esp reqid 4 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    dir 4 priority 0 ptype main
src ::/0 dst ::/0
    dir 3 priority 0 ptype main
src ::/0 dst ::/0
    dir 4 priority 0 ptype main
src ::/0 dst ::/0
    dir 3 priority 0 ptype main
src ::/0 dst ::/0
    dir 4 priority 0 ptype main

Basically I am trying to access an internal webserver from endpoint 1 (with
IP 192.168.1.100) that is on endpoint 2's network. If I try to access (i.e.
ping or wget) this server from endpoint 1, then it times out. Likewise, if
I try to ping endpoint 1 machine from the internal webserver, it also times
out. The really weird thing is that when I take pcaps of the traffic, it
looks like the traffic is being routed, but for some reason it isn't being
passed back to the application. For example, if I do a ping to
192.168.1.100 from endpoint 1, I am able to see the ping response in the
tcp dump (though not the request), but the actual ping command doesn't get
any data back. This makes me think that a firewall rule is dropping the
packets or something. Same behavior when pinging/pcaping on 192.168.1.100
to endpoint 1, with the exception that I am able to see the requests as
well as the responses on that machine. Can someone help to point me in the
right direction? I tried an iptables -F on the endpoint 1 but that didn't
change anything.

Thanks,
-Justin

[Attachment #5 (text/html)]

<div dir="ltr">Hi, I am trying to set up a site-to-site VPN. Endpoint 1 is the \
strongswan server that I am trying to set up to connect to endpoint 2 with \
site-to-site vpn. Endpoint 1 IP is 10.0.2.227 here and endpoint 2 is 10.0.2.210. I am \
currently able to connect endpoint 1 to the Endpoint 2 over site-to-site VPN \
successfully, however traffic does not appear to be getting forwarded. Here is my \
connection in ipsec.conf for endpoint 1: conn net-net \
ikelifetime=60m keylife=20m rekeymargin=3m \
keyingtries=1 keyexchange=ikev2 mobike=no \
left=10.0.2.227 leftcert=server.crt.pem leftid=%any \
leftsubnet=<a href="http://10.0.2.128/25">10.0.2.128/25</a> \
leftfirewall=yes right=10.0.2.210 rightid=%any \
leftauth=rsa rightauth=rsa rightsubnet=<a \
href="http://192.168.1.0/24">192.168.1.0/24</a> rekey=no \
reauth=no dpddelay=10 dpdtimeout=30 dpdaction=clear \
auto=add When I connect I get the following output: initiating \
IKE_SA net-net[4] to 10.0.2.210 generating IKE_SA_INIT request 0 [ SA KE No \
N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.0.2.227[500] to \
10.0.2.210[500] (708 bytes) received packet: from 10.0.2.210[500] to \
10.0.2.227[500] (38 bytes) parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] peer \
didn&#39;t accept DH group MODP_2048, it requested MODP_1024 initiating IKE_SA \
net-net[4] to 10.0.2.210 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) \
N(NATD_D_IP) ] sending packet: from 10.0.2.227[500] to 10.0.2.210[500] (580 \
bytes) received packet: from 10.0.2.210[500] to 10.0.2.227[500] (377 \
bytes) parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) \
CERTREQ ] received cert request for &quot;C=US, ST=California, L=AnyTown, \
O=mycompany, OU=NET, CN=mycompany&quot; received 1 cert requests for an unknown \
ca sending cert request for &quot;C=US, ST=California, L=AnyTown, O=mycompany, \
OU=NET, CN=mycompany&quot; authentication of &#39;CN=<a \
href="http://sts-endpoint-1.mycompany.com">sts-endpoint-1.mycompany.com</a>, \
O=mycompany&#39; (myself) with RSA signature successful sending end entity cert \
&quot;CN=<a href="http://sts-endpoint-1.mycompany.com">sts-endpoint-1.mycompany.com</a>, \
O=mycompany&quot; establishing CHILD_SA net-net generating IKE_AUTH request 1 [ \
IDi CERT CERTREQ AUTH SA TSi TSr N(EAP_ONLY) ] sending packet: from \
10.0.2.227[500] to 10.0.2.210[500] (1204 bytes) received packet: from \
10.0.2.210[500] to 10.0.2.227[500] (1340 bytes) parsed IKE_AUTH response 1 [ V IDr \
CERT AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] received \
end entity cert &quot;CN=<a \
href="http://sts-endpoint-2.mycompany.com">sts-endpoint-2.mycompany.com</a>, \
O=mycompany&quot; using certificate &quot;CN=<a \
href="http://sts-endpoint-2.mycompany.com">sts-endpoint-2.mycompany.com</a>, \
O=mycompany&quot; using trusted ca certificate &quot;C=US, ST=California, \
L=AnyTown, O=mycompany, OU=NET, CN=mycompany&quot; checking certificate status of \
&quot;CN=<a href="http://sts-endpoint-2.mycompany.com">sts-endpoint-2.mycompany.com</a>, \
O=mycompany&quot; certificate status is not available reached self-signed \
root ca with a path length of 0 authentication of &#39;CN=<a \
href="http://sts-endpoint-2.mycompany.com">sts-endpoint-2.mycompany.com</a>, \
O=mycompany&#39; with RSA signature successful IKE_SA net-net[4] established \
between 10.0.2.227[CN=<a \
href="http://sts-endpoint-1.mycompany.com">sts-endpoint-1.mycompany.com</a>, \
O=mycompany]...10.0.2.210[CN=<a \
href="http://sts-endpoint-2.mycompany.com">sts-endpoint-2.mycompany.com</a>, \
O=mycompany] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC \
padding CHILD_SA net-net{4} established with SPIs ce060f84_i 67e92e0f_o and TS <a \
href="http://10.0.2.128/25">10.0.2.128/25</a> === <a \
href="http://192.168.1.0/24">192.168.1.0/24</a> connection &#39;net-net&#39; \
established successfully Here is my ip xfrm policy output: src <a \
href="http://192.168.1.0/24">192.168.1.0/24</a> dst <a \
href="http://10.0.2.128/25">10.0.2.128/25</a> dir fwd priority 2879 ptype \
main tmpl src 10.0.2.210 dst 10.0.2.227 proto esp reqid 4 \
mode tunnel src <a href="http://192.168.1.0/24">192.168.1.0/24</a> dst <a \
href="http://10.0.2.128/25">10.0.2.128/25</a> dir in priority 2879 ptype \
main tmpl src 10.0.2.210 dst 10.0.2.227 proto esp reqid 4 \
mode tunnel src <a href="http://10.0.2.128/25">10.0.2.128/25</a> dst <a \
href="http://192.168.1.0/24">192.168.1.0/24</a> dir out priority 2879 \
ptype main tmpl src 10.0.2.227 dst 10.0.2.210 proto esp \
reqid 4 mode tunnel src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a \
href="http://0.0.0.0/0">0.0.0.0/0</a> dir 3 priority 0 ptype main src \
<a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> \
 dir 4 priority 0 ptype main src <a \
href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> \
 dir 3 priority 0 ptype main src <a \
href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> \
 dir 4 priority 0 ptype main src ::/0 dst ::/0 dir 3 \
priority 0 ptype main src ::/0 dst ::/0 dir 4 priority 0 ptype main \
 src ::/0 dst ::/0 dir 3 priority 0 ptype main src ::/0 dst ::/0 \
 dir 4 priority 0 ptype main Basically I am trying to access an \
internal webserver from endpoint 1 (with IP 192.168.1.100) that is on endpoint \
2&#39;s network. If I try to access (i.e. ping or wget) this server from endpoint 1, \
then it times out. Likewise, if I try to ping endpoint 1 machine from the internal \
webserver, it also times out. The really weird thing is that when I take pcaps of the \
traffic, it looks like the traffic is being routed, but for some reason it isn&#39;t \
being passed back to the application. For example, if I do a ping to 192.168.1.100 \
from endpoint 1, I am able to see the ping response in the tcp dump (though not the \
request), but the actual ping command doesn&#39;t get any data back. This makes me \
think that a firewall rule is dropping the packets or something. Same behavior when \
pinging/pcaping on 192.168.1.100 to endpoint 1, with the exception that I am able to \
see the requests as well as the responses on that machine. Can someone help to point \
me in the right direction? I tried an iptables -F on the endpoint 1 but that \
didn&#39;t change anything. Thanks, -Justin </div>

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[prev in list] [next in list] [prev in thread] [next in thread] 