Project

General

Profile

Issue #3353

Amazon AWS connection using Strongswan

Added by Ramesh Subrahmaniam 5 months ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.2
Resolution:

Description

Hi

I am trying to setup a IPSEC IKE V1 Tunnel and I am having issues sending traffic.

(strongSwan 5.7.2, Linux 5.3.0-40-generic, x86_64):
uptime: 9 hours, since Mar 02 01:15:28 2020
malloc: sbrk 2703360, mmap 0, used 1208080, free 1495280
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 11
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
192.168.1.248
10.200.10.1
169.254.121.54
Connections:
Tunnel1: %any...18.216.86.166 IKEv1, dpddelay=10s
Tunnel1: local: [10.200.10.1] uses pre-shared key authentication
Tunnel1: remote: [18.216.86.166] uses pre-shared key authentication
Tunnel1: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Tunnel2: %any...18.224.216.0 IKEv1, dpddelay=10s
Tunnel2: local: [10.200.10.2] uses pre-shared key authentication
Tunnel2: remote: [18.224.216.0] uses pre-shared key authentication
Tunnel2: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
Tunnel24: ESTABLISHED 2 hours ago, 192.168.1.248[10.200.10.2]...18.224.216.0[18.224.216.0]
Tunnel24: IKEv1 SPIs: e8ac8a187bb60a1a_i* 25fc8baec70ab970_r, pre-shared key reauthentication in 5 hours
Tunnel24: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Tunnel2{25}: REKEYED, TUNNEL, reqid 1, expires in 49 seconds
Tunnel2{25}: 0.0.0.0/0 === 0.0.0.0/0
Tunnel2{27}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c70ae4e7_i 096efe8f_o
Tunnel2{27}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 33 minutes
Tunnel2{27}: 0.0.0.0/0 === 0.0.0.0/0
Tunnel13: ESTABLISHED 2 hours ago, 192.168.1.248[10.200.10.1]...18.216.86.166[18.216.86.166]
Tunnel13: IKEv1 SPIs: 415e1b3cd77a5e7a_i* 3fb95b3b7ae9e350_r, pre-shared key reauthentication in 5 hours
Tunnel13: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Tunnel1{26}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cf6586ab_i cf8ec9a9_o
Tunnel1{26}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o (0 pkts, 61s ago), rekeying in 5 minutes
Tunnel1{26}: 0.0.0.0/0 === 0.0.0.0/0

I notice that Tunnels are up.Please let me know if they are not. I am not able to ping the AWS instances from Local Network. I see something that I am worried about and I want to start looking somewhere.
ifconfig Tunnel1
Tunnel1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1419
inet 169.254.121.54 netmask 255.255.255.252 destination 169.254.121.53
inet6 fe80::5efe:ac8:a01 prefixlen 64 scopeid 0x20<link>
tunnel txqueuelen 1000 (IPIP Tunnel)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 1315 dropped 0 overruns 0 carrier 1315 collisions 0
^^^ ^^^
And then I did:
ip -s tunnel show Tunnel1
Tunnel1: ip/ip remote 18.216.86.166 local 10.200.10.1 ttl inherit key 100
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
0 0 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
0 0 1319 0 1319 0

^^
default via 192.168.1.1 dev enp3s0 metric 100
default via 10.200.10.1 dev br0 metric 101
10.200.10.0/24 via 10.200.10.1 dev br0 metric 100
10.200.10.1 via 192.168.1.248 dev enp3s0 metric 100
169.254.0.0/16 dev enp3s0 scope link metric 1000
169.254.121.52/30 dev Tunnel1 proto kernel scope link src 169.254.121.54
172.31.16.0/20 dev Tunnel1 scope link metric 100
192.168.1.0/24 via 192.168.1.248 dev enp3s0 metric 100

172.31.26.243 is the address that I am trying to ping.

What is the problem here? NoRoute indicates? No route to destination or something else?

Do you want to see anything else? Please help.

Thanks
Ramesh

Logs (14.1 KB) Logs Ramesh Subrahmaniam, 10.03.2020 05:25

History

#1 Updated by Noel Kuntze 5 months ago

  • Category set to configuration
  • Status changed from New to Feedback

Please follow the HelpRequests article.

#2 Updated by Edvinas Kaikaris 5 months ago

Noel Kuntze wrote:

Please follow the HelpRequests article.

hello, i got the same problem.

#3 Updated by Ramesh Subrahmaniam 5 months ago

Hi Noel

Thanks for pointing me to the help pages. I did look through the Documents including Intro Strongswan, Forwarding and Split Tunneling etc. but I am failing to understand why I am not able to get the traffic through the tunnels. My issue is that after spending some time I have come to conclusion that the Tunnel is UP but I'm not able to pass traffic (including pings). The issue is at my end. I think the xfrm policies are not setup right? Any pointers for me to debug will help.

I have attached all the information that you require. If you require anything else please let me know and I'll be happy to provide. Here is the scenario which is not working:

AWS VPGW                                NAT/HOME RTR FORWARDS IPSEC (500, 4500)           Customer GW (Running Strongswan here)
======== ========= ================== | |34.206.163.30 173.79.212.211| |192.168.1.0/24 192.168.1.248| | | |-----------------------------------------| NAT |--------------------------------| |10.200.10.0/24 | | | | |enp3s0 enp4s0|----------- | |-----------------------------------------| |--------------------------------| |
======== ========= ==================
The tunnels are up between 34.206.163.30 and 192.168.1.248
34.231.36.148 and 192.168.1.248
I run a ping by doing: ping -I Tunnel1 10.0.1.159 which is the IP of an instance that I have in AWS and I'm trying to reach that.
Let me know what else I can provide. 
Thanks
Ramesh

#4 Updated by Ramesh Subrahmaniam 5 months ago

Please close this issue. I got it to work.

Thanks
Ramesh

#5 Updated by Edvinas Kaikaris 5 months ago

Ramesh Subrahmaniam wrote:

Please close this issue. I got it to work.

Thanks
Ramesh

hello,

could you share your configuration ? Thanks

#6 Updated by Ramesh Subrahmaniam 5 months ago

Edvinas Kaikaris wrote:

Ramesh Subrahmaniam wrote:

Please close this issue. I got it to work.

Thanks
Ramesh

hello,

could you share your configuration ? Thanks

Hello Edvinas

Share your email with me and I'll help you as much as I can.

Thanks
Ramesh

Also available in: Atom PDF