Project

General

Profile

Issue #3489

IPsec site-2-site problem in one way

Added by Javier Gonzalez about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.2.1
Resolution:

Description

Hi, I'm trying to configure site-2-site VPN with strongswan, like this:

config setup
        charondebug="all" 
        uniqueids=yes
        strictcrlpolicy=no

# connection to Arcanos
conn Cloud-to-Site
        type=tunnel
        authby=secret
        left=IP strongswan
        leftid=IP strongswan
        leftsubnet=lan strongswan
        leftauth=psk
        right=IP FG
        rightid=IP FW
        rightsubnet=lan FG
        rightauth=psk
        keyexchange=ikev2
        ike=3des-md5-modp1024
        esp=3des-md5
        keyingtries=0
        ikelifetime=28800s
        #rekeymargin=3600s
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start

One site is a debian with strongswan in the cloud and the other site is a Firewall Fortigate.

When I configure it and secret too, with ipsec status all I see:

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-11-amd64, x86_64):
  uptime: 2 hours, since Jun 22 14:24:11 2020
  malloc: sbrk 1744896, mmap 0, used 647008, free 1097888
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  IP StrongSwan
  Lan strongswan
Connections:
Cloud-to-Arcanos:  IP strongswan...IP FG  IKEv2, dpddelay=30s
Cloud-to-Arcanos:   local:  [IP strongswan] uses pre-shared key authentication
Cloud-to-Arcanos:   remote: [IP FG] uses pre-shared key authentication
Cloud-to-Arcanos:   child:  lan strongswan === Lan FG TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
Cloud-to-Arcanos[2]: ESTABLISHED 2 hours ago, IP strongswan[IP strongswan]...IP FG[IP FG]
Cloud-to-Arcanos[2]: IKEv2 SPIs: 9f3893b9ab8401bb_i fb0c55639b9afc38_r*, pre-shared key reauthentication in 5 hours
Cloud-to-Arcanos[2]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Cloud-to-Arcanos{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ca0bc4c8_i 87c514cd_o
Cloud-to-Arcanos{1}:  3DES_CBC/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 6 hours
Cloud-to-Arcanos{1}:   LAN Strongswan === LAN FG
Cloud-to-Arcanos[1]: CONNECTING, IP strongswan[IP strongswan]...IP FG[IP FG]
Cloud-to-Arcanos[1]: IKEv2 SPIs: 8d0a6dfea955ba84_i* 15920d10d0634e9b_r
Cloud-to-Arcanos[1]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Cloud-to-Arcanos[1]: Tasks active: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

And when I execute ipsec up Cloud-to-Site:

generating CREATE_CHILD_SA request 318 [ SA No TSi TSr ]
sending packet: from IP Strongswan[4500] to IP FG[50190] (284 bytes)
received packet: from IP FG[50190] to IP Strongswan[4500] (164 bytes)
parsed CREATE_CHILD_SA response 318 [ SA No TSi TSr ]
unable to install policy Lan Strongswan === Lan FG out (mark 0/0x00000000) for reqid 54, the same policy for reqid 1 exists
unable to install policy LAN FG === Lan strongswan in (mark 0/0x00000000) for reqid 54, the same policy for reqid 1 exists
unable to install policy LAN FG === Lan Strongswan fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 1 exists
unable to install policy Lan Strongswan === LAN FG out (mark 0/0x00000000) for reqid 54, the same policy for reqid 1 exists
unable to install policy LAN FG === Lan Strongswan in (mark 0/0x00000000) for reqid 54, the same policy for reqid 1 exists
unable to install policy Lan FG === Lan strongswan fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 1 exists
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
sending DELETE for ESP CHILD_SA with SPI c8144bfa
generating INFORMATIONAL request 319 [ D ]
sending packet: from IP Strongswan[4500] to IP FG[50190] (68 bytes)
received packet: from IP FG[50190] to IP Strongswan[4500] (68 bytes)
parsed INFORMATIONAL response 319 [ D ]
deleting policy Lan strongswan === LAn FG out failed, not found
deleting policy Lan FG === Lan strongswan in failed, not found
deleting policy Lan FG === Lan Strongswan fwd failed, not found
deleting policy Lan strongswan === Lan FG out failed, not found
deleting policy Lan FG === Lan strongswan in failed, not found
deleting policy Lan FG === Lan stronswan fwd failed, not found
establishing connection 'Cloud-to-Site' failed

In my iptables I hace authorizate all from my IP FG and in NAT table:

MASQUERADE all -- LAN FG LAN Strongswan

From FG I can make PING to my strongswan, but from strongswan i cannot make PING.

What are I doing wrong?
Thanks

History

#1 Updated by Tobias Brunner about 2 months ago

  • Description updated (diff)
  • Status changed from New to Feedback

That version is 6 years old. Please use a newer release. (The particular reqid issue when negotiating duplicate SAs has been fixed with 5.3.0.)

If you later have problem with your NAT, see ForwardingAndSplitTunneling.

#2 Updated by Javier Gonzalez about 2 months ago

Hi Tobias, thanks for answered to me.

Yes, I've tested with 5.7.0 version and works, but two questions:

I'm using Debian 8, so I can only install 5.2.1 with apt, could install any up version?

And with 5.7.0 works PING but no service like SSH or HTTP in one way.

Server strongswan to FG can access all in FG.
FG only can access to PING in strongswan.

In my IPTABLES I have this one:

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:10400 -j ACCEPT
-A INPUT -s IP FG -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             policy match dir out pol ipsec
MASQUERADE  all  --  LAN FG      LAN Strongswan

Have I to do any more else to can access fro FG to strongswan, all services??

Thanks

#3 Updated by Tobias Brunner about 2 months ago

I'm using Debian 8, so I can only install 5.2.1 with apt, could install any up version?

Probably, but note that you shouldn't use Debian 8 anymore (even its long term support ends next week, see here).

Have I to do any more else to can access fro FG to strongswan, all services??

Maybe read ForwardingAndSplitTunneling and then debug where packets actually end up (using packet counters, captures etc.).

#4 Updated by Javier Gonzalez about 2 months ago


    I'm using Debian 8, so I can only install 5.2.1 with apt, could install any up version?

Probably, but note that you shouldn't use Debian 8 anymore (even its long term support ends next week, see here).

I know but this machine has many things inside and now I cannot change it, but I'll do it.

    Have I to do any more else to can access fro FG to strongswan, all services??

Maybe read ForwardingAndSplitTunneling and then debug where packets actually end up (using packet counters, captures etc.).

Thanks, I need config nat rules, and now it works.

Thanks for all

#5 Updated by Javier Gonzalez about 2 months ago

I've updated to 5.7.4 version, and install no issues.
But when I tried to start a connection with ipsec up conn_name, tell me:

no config name conn_name

And in /etc/ipsec.conf I have the connection.

With this version is needed a link, include.... to use ipsec.conf??

Thanks

#6 Updated by Tobias Brunner about 2 months ago

But when I tried to start a connection with ipsec up conn_name, tell me:

no config name conn_name

And in /etc/ipsec.conf I have the connection.

Read the logs, maybe your config is invalid and is not loaded.

Also available in: Atom PDF