Project

General

Profile

Issue #3594

How to see the traffic at ESP in UDP SPIs and forwarding rule

Added by Dhody Rahmad Hidayat about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

Hi, Im new in this scope. I tried to configure strongswan site-to-site with centos7 (different region) at google cloud platform (IKEv2). Ive done follow this guide:

1. https://blog.ruanbekker.com/blog/2018/02/11/setup-a-site-to-site-ipsec-vpn-with-strongswan-and-preshared-key-authentication/
2. https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-centos-rhel-8/
3. https://medium.com/@georgeswizzalonge/how-to-setup-a-site-to-site-vpn-connection-with-strongswan-32d4ed034ae2

ipsec.conf on site A:
@config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes

conn sg-to-jkt
authby=secret
left=%defaultroute
leftid=35.247.152.222
leftsubnet=10.148.0.30/24
right=34.101.153.166
rightsubnet=10.184.0.2/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start@

ipsec.conf on site B:
@config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes

conn jkt-to-sg
authby=secret
left=%defaultroute
leftid=35.247.152.222
leftsubnet=10.148.0.30/24
right=34.101.153.166
rightsubnet=10.184.0.2/24
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start@

strongswan status on site A:
sg-to-jkt[1]: ESTABLISHED 62 seconds ago, 10.148.0.30[35.247.152.222]...34.101.153.166[34.101.153.166]
sg-to-jkt{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8631a9d_i c183e820_o
sg-to-jkt{1}: 10.148.0.0/24 === 10.184.0.0/24

strongswan status on site B:
jkt-to-sg[3]: ESTABLISHED 120 seconds ago, 10.184.0.2[34.101.153.166]...35.247.152.222[3
5.247.152.222]
jkt-to-sg{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c183e820_i c8631a9d_o
jkt-to-sg{2}: 10.184.0.0/24 === 10.148.0.0/24

ping and others going well.

My questions are:
1. Many result in instruction that status tunnel with ESP SPIs and can check the encrypted data with tcpdump. so how to check the encrypted data at ESP in UDP SPIs? and how to test if the configuration well configured?
2. Ive done following about forwarding rule. as far as i read many question, iptables -L returning some IP on forwarding rule, mine is not. Its just showing:

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibit

Did i missed something?

History

#1 Updated by Tobias Brunner about 1 month ago

  • Status changed from New to Feedback

I don't really understand the question, but maybe read FAQ and CorrectTrafficDump.

#2 Updated by Dhody Rahmad Hidayat about 1 month ago

Tobias Brunner wrote:

I don't really understand the question, but maybe read FAQ and CorrectTrafficDump.

Sorry for bad questions. i tried to find the traffic of encrypted package, but i dont know what to dump. the status given "INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs:". how can i dump ESP in UPD SPIs?

#3 Updated by Dhody Rahmad Hidayat about 1 month ago

Tobias Brunner wrote:

I don't really understand the question, but maybe read FAQ and CorrectTrafficDump.

i tried to ping site A from site B, while site B doing tcpdump -v src [private A]. its given

10.148.0.30 > instance-1-jkt.c.stickearn-clusteringlab.internal: ICMP echo request, id 3979, seq 34, length 64
04:05:29.007316 IP (tos 0x0, ttl 64, id 23613, offset 0, flags [DF], proto ICMP (1), length 84)

it is ok?

#4 Updated by Tobias Brunner about 1 month ago

it is ok?

Depends on what you are looking for. I still don't understand what exactly you want to dump. The ESP packets (just use tcpdump)? Or the decrypted plaintext packets (read the FAQ and the other page)? Why the reference to the SPIs?

#5 Updated by Dhody Rahmad Hidayat about 1 month ago

Tobias Brunner wrote:

it is ok?

Depends on what you are looking for. I still don't understand what exactly you want to dump. The ESP packets (just use tcpdump)? Or the decrypted plaintext packets (read the FAQ and the other page)? Why the reference to the SPIs?

Im sorry, this is my first time to work with the network. I used to looking for the traffic to know that my configuration works or not. I thought SPIs affect the way how to dump the traffic (because in some instruction Strongswan with ESP SPIs just dump with "tcpdump esp"). Based on the FAQ, I can't capture the traffic with Wireshark because I run the OS with shell (with no interface). Thank you for the suggestion, any other way to make sure that my configuration works well, sir?

Oh, I found that to check the traffic can be using "tcpdump -i eth0 -n udp". I trying this while i ping from the other side and this is the return:

09:32:57.068830 IP 35.247.152.222.ipsec-nat-t > 10.184.0.2.ipsec-nat-t: UDP-encap: ESP, length 136

#6 Updated by Tobias Brunner about 1 month ago

Oh, I found that to check the traffic can be using "tcpdump -i eth0 -n udp". I trying this while i ping from the other side and this is the return:

09:32:57.068830 IP 35.247.152.222.ipsec-nat-t > 10.184.0.2.ipsec-nat-t: UDP-encap: ESP, length 136

You should probably also see a response. Anyway, to check if the tunnel works you can also check the traffic counters, see IntroductionTostrongSwan.

Also available in: Atom PDF