Project

General

Profile

Issue #3149

Cannot ping roadwarrior clients from VPN gateway

Added by Marc Fisher about 1 month ago. Updated about 1 month ago.

Status:
Closed
Priority:
Low
Assignee:
Category:
configuration
Affected version:
5.7.1
Resolution:
No change required

Description

Setup

One Windows 8 roadwarrior client

Problem

Traffic from client to internet is correctly routed through gateway and connection is stable.
However pinging client's (virtual) IP times out. Is this even supposed to work?
I tried turning off clients firewall.

ping -W 3 -c 3 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 48ms

ip route list table 220

10.0.0.1 via <gw_public_ip> dev eth0 proto static

ipsec.conf

config setup
    # strictcrlpolicy=yes
    uniqueids = no
    charondebug="ike 1, knl 1, cfg 0, net 1" 

# Add connections here.

conn win7
    leftcert=xxxx_vpn_gateway_cert.pem
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=eap-tls
    rightsendcert=never
    rightsourceip=10.0.0.1/32
    eap_identity=%any
    keyexchange=ikev2
    compress=no
    auto=add
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no

ipsec.secrets


: RSA "xxx_vpn_gateway_key.pem" 

ipsec statusall

Status of IKE charon daemon (strongSwan 5.7.1, Linux 5.0.0-23-generic, x86_64):
  uptime: 4 minutes, since Aug 15 17:08:23 2019
  malloc: sbrk 2351104, mmap 532480, used 1488064, free 863040
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Virtual IP pools (size/online/offline):
  10.0.0.1/32: 1/1/0
Listening IP addresses:
  <gw_public_ip>
  <gw_public_ipv6>
Connections:
        win7:  %any...%any  IKEv2, dpddelay=300s
        win7:   local:  [CN=<gw_public_domain>] uses public key authentication
        win7:    cert:  "CN=<gw_public_domain>" 
        win7:   remote: uses EAP_TLS authentication with EAP identity '%any'
        win7:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
        win7[1]: ESTABLISHED 3 minutes ago, <gw_public_ip>[CN=<gw_public_domain>]...<client_public_ip>[client_private_ip_nat]
        win7[1]: Remote EAP identity: ioudas
        win7[1]: IKEv2 SPIs: 388375664131d914_i e05b1efcef895dc6_r*, rekeying disabled
        win7[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
        win7{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c50bf09c_i 6eacd63c_o
        win7{1}:  AES_CBC_256/HMAC_SHA2_256_128, 149373 bytes_i (1281 pkts, 0s ago), 214919 bytes_o (1042 pkts, 0s ago), rekeying disabled
        win7{1}:   0.0.0.0/0 === 10.0.0.1/32

iptables-save

# Generated by iptables-save v1.6.1 on Thu Aug 15 17:19:46 2019
*filter
:INPUT ACCEPT [6328:1196124]
:FORWARD ACCEPT [7726:1747977]
:OUTPUT ACCEPT [5524:1843075]
COMMIT
# Completed on Thu Aug 15 17:19:46 2019
# Generated by iptables-save v1.6.1 on Thu Aug 15 17:19:46 2019
*nat
:PREROUTING ACCEPT [57337:4472853]
:INPUT ACCEPT [37929:2076008]
:OUTPUT ACCEPT [196:15404]
:POSTROUTING ACCEPT [133:11408]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 15 17:19:46 2019

syslog

Aug 15 17:08:43 localhost charon: 08[NET] received packet: from <client_public_ip>[500] to <gw_public_ip>[500] (384 bytes)
Aug 15 17:08:43 localhost charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Aug 15 17:08:43 localhost charon: 08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Aug 15 17:08:43 localhost charon: 08[IKE] received MS-Negotiation Discovery Capable vendor ID
Aug 15 17:08:43 localhost charon: 08[IKE] received Vid-Initial-Contact vendor ID
Aug 15 17:08:43 localhost charon: 08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Aug 15 17:08:43 localhost charon: 08[IKE] <client_public_ip> is initiating an IKE_SA
Aug 15 17:08:43 localhost charon: 08[IKE] remote host is behind NAT
Aug 15 17:08:43 localhost charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 15 17:08:43 localhost charon: 08[NET] sending packet: from <gw_public_ip>[500] to <client_public_ip>[500] (288 bytes)
Aug 15 17:08:43 localhost charon: 09[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (588 bytes)
Aug 15 17:08:43 localhost charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
Aug 15 17:08:43 localhost charon: 09[ENC] received fragment #1 of 3, waiting for complete IKE message
Aug 15 17:08:43 localhost charon: 10[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (588 bytes)
Aug 15 17:08:43 localhost charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
Aug 15 17:08:43 localhost charon: 10[ENC] received fragment #2 of 3, waiting for complete IKE message
Aug 15 17:08:43 localhost charon: 11[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (348 bytes)
Aug 15 17:08:43 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
Aug 15 17:08:43 localhost charon: 11[ENC] received fragment #3 of 3, reassembled fragmented IKE message (1336 bytes)
Aug 15 17:08:43 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Aug 15 17:08:43 localhost charon: 11[IKE] received cert request for "C=US, O=xxx, CN=xxx CA" 
Aug 15 17:08:43 localhost charon: 11[IKE] received 51 cert requests for an unknown ca
Aug 15 17:08:43 localhost charon: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Aug 15 17:08:43 localhost charon: 11[IKE] peer supports MOBIKE
Aug 15 17:08:43 localhost charon: 11[IKE] authentication of 'CN=eu.xxx.net' (myself) with RSA signature successful
Aug 15 17:08:43 localhost charon: 11[IKE] sending end entity cert "CN=eu.xxx.net" 
Aug 15 17:08:43 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Aug 15 17:08:43 localhost charon: 11[ENC] splitting IKE message (1720 bytes) into 2 fragments
Aug 15 17:08:43 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Aug 15 17:08:43 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Aug 15 17:08:43 localhost charon: 11[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (1244 bytes)
Aug 15 17:08:43 localhost charon: 11[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (556 bytes)
Aug 15 17:08:43 localhost charon: 12[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (104 bytes)
Aug 15 17:08:43 localhost charon: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Aug 15 17:08:43 localhost charon: 12[IKE] received EAP identity 'xxx'
Aug 15 17:08:43 localhost charon: 12[IKE] initiating EAP_TLS method (id 0x24)
Aug 15 17:08:43 localhost charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/TLS ]
Aug 15 17:08:43 localhost charon: 12[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (88 bytes)
Aug 15 17:08:43 localhost charon: 13[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (248 bytes)
Aug 15 17:08:43 localhost charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/TLS ]
Aug 15 17:08:43 localhost charon: 13[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Aug 15 17:08:43 localhost charon: 13[TLS] sending TLS server certificate 'CN=eu.xxx.net'
Aug 15 17:08:43 localhost charon: 13[TLS] sending TLS cert request for 'C=US, O=xxx, CN=xxx CA'
Aug 15 17:08:43 localhost charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/TLS ]
Aug 15 17:08:43 localhost charon: 13[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (1112 bytes)
Aug 15 17:08:43 localhost charon: 14[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (88 bytes)
Aug 15 17:08:43 localhost charon: 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/TLS ]
Aug 15 17:08:43 localhost charon: 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/TLS ]
Aug 15 17:08:43 localhost charon: 14[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (904 bytes)
Aug 15 17:08:43 localhost charon: 15[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (588 bytes)
Aug 15 17:08:43 localhost charon: 15[ENC] parsed IKE_AUTH request 5 [ EF(1/3) ]
Aug 15 17:08:43 localhost charon: 15[ENC] received fragment #1 of 3, waiting for complete IKE message
Aug 15 17:08:43 localhost charon: 06[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (588 bytes)
Aug 15 17:08:43 localhost charon: 06[ENC] parsed IKE_AUTH request 5 [ EF(2/3) ]
Aug 15 17:08:43 localhost charon: 06[ENC] received fragment #2 of 3, waiting for complete IKE message
Aug 15 17:08:43 localhost charon: 16[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (316 bytes)
Aug 15 17:08:43 localhost charon: 16[ENC] parsed IKE_AUTH request 5 [ EF(3/3) ]
Aug 15 17:08:43 localhost charon: 16[ENC] received fragment #3 of 3, reassembled fragmented IKE message (1304 bytes)
Aug 15 17:08:43 localhost charon: 16[ENC] parsed IKE_AUTH request 5 [ EAP/RES/TLS ]
Aug 15 17:08:43 localhost charon: 16[TLS] received TLS peer certificate 'CN=xxx'
Aug 15 17:08:43 localhost charon: 16[ENC] generating IKE_AUTH response 5 [ EAP/REQ/TLS ]
Aug 15 17:08:43 localhost charon: 16[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (168 bytes)
Aug 15 17:08:43 localhost charon: 05[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (88 bytes)
Aug 15 17:08:43 localhost charon: 05[ENC] parsed IKE_AUTH request 6 [ EAP/RES/TLS ]
Aug 15 17:08:43 localhost charon: 05[IKE] EAP method EAP_TLS succeeded, MSK established
Aug 15 17:08:43 localhost charon: 05[ENC] generating IKE_AUTH response 6 [ EAP/SUCC ]
Aug 15 17:08:43 localhost charon: 05[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (88 bytes)
Aug 15 17:08:43 localhost charon: 07[NET] received packet: from <client_public_ip>[1033] to <gw_public_ip>[4500] (136 bytes)
Aug 15 17:08:43 localhost charon: 07[ENC] parsed IKE_AUTH request 7 [ AUTH ]
Aug 15 17:08:43 localhost charon: 07[IKE] authentication of '192.168.72.149' with EAP successful
Aug 15 17:08:43 localhost charon: 07[IKE] authentication of 'CN=eu.xxx.net' (myself) with EAP
Aug 15 17:08:43 localhost charon: 07[IKE] IKE_SA win7[1] established between <gw_public_ip>[CN=eu.xxx.net]...<client_public_ip>[192.168.72.149]
Aug 15 17:08:43 localhost charon: 07[IKE] peer requested virtual IP %any
Aug 15 17:08:43 localhost charon: 07[IKE] assigning virtual IP 10.0.0.1 to peer 'xxx'
Aug 15 17:08:43 localhost charon: 07[IKE] CHILD_SA win7{1} established with SPIs c50bf09c_i 6eacd63c_o and TS 0.0.0.0/0 === 10.0.0.1/32
Aug 15 17:08:43 localhost charon: 07[ENC] generating IKE_AUTH response 7 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Aug 15 17:08:43 localhost charon: 07[NET] sending packet: from <gw_public_ip>[4500] to <client_public_ip>[1033] (296 bytes)

History

#1 Updated by Tobias Brunner about 1 month ago

  • Status changed from New to Feedback

However pinging client's (virtual) IP times out. Is this even supposed to work?

Not sure. Did you check if the ICMP requests arrive on the client (e.g. via Wireshark)? Could be that Windows just doesn't like responding.

#2 Updated by Noel Kuntze about 1 month ago

IIRC Windows can't communicate to the IKE peer's IP over the tunnel. Try pinging from a private IP address that Windows will try to reach over the tunnel (add one to, e.g. lo and use ping -I <address>).

#3 Updated by Marc Fisher about 1 month ago

Noel Kuntze wrote:

IIRC Windows can't communicate to the IKE peer's IP over the tunnel. Try pinging from a private IP address that Windows will try to reach over the tunnel.

Yes this seems to be the case. Using another (private) IP for the gateway worked.

I tried to use split tunneling to make windows understand that the GWs public IP is a "peer" but it also failed. Using private IP is fine though for my scenario.

Thanks guys!

#4 Updated by Noel Kuntze about 1 month ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Noel Kuntze
  • Resolution set to No change required

Also available in: Atom PDF