I am trying to configure a Cisco CSR1000V on AWS to create an IPSec VPN with Strongswan 5.1.2 (on Ubuntu 14.04) on another AWS machine. I can establish the VPN from the Strongswan end and it appears to have correctly built the security associations but no traffic is routed through in either direction. Possibly related is that I can't bring the VPN from the Cisco end.
I have tried to base my configuration on http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc2 with changes for the specific IP addresses and networks. So I have
10.87.189.36 client
|
CSR 1000V: Eth0 10.87.50.122 (mapped to Elastic IP 54.154.54.AAA)
Eth1 10.87.189.50
|
|
Strongswan: 172.31.1.1 (mapped to Elastic IP 54.229.30.BBB)
|
Webserver 172.31.2.33
The aim to be able to browser from the client to webserver via the VPN. The client can connect to external internet and this is routed via the CSR1000 (set up as described in https://rbgeek.wordpress.com/2014/09/15/cisco-csr1000v-router-as-nat-instance-on-aws/). I can also create a VPN between the Strongswan machine and another machine running Strongswan 4.5.2 locally and view the webserver as expected.
EC2's src/dest check is disabled on the all the ethernet ports on the CSR and Strongswan machine.
The Strongswan configuration for the connection is
conn ciscotest
left=%defaultroute
leftid=54.229.30.BBB
leftsubnet=172.31.0.0/16
leftfirewall=no
right=54.154.54.AAA
rightid=%any
rightsubnet=10.87.189.0/24
auto=add
authby=secret
ike=aes256-sha1-modp1024
ikelifetime=8h
aggressive=no
esp=aes128-sha1
lifetime=1h
keyexchange=ikev2
Firewall and sysctl on the Strongswan machine
# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 4 packets, 220 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4 packets, 220 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 349 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * eth0 0.0.0.0/0 172.31.0.0/16 policy match dir out pol ipsec
5 349 MASQUERADE all -- * eth0 0.0.0.0/0 172.31.0.0/16
# sysctl -p
net.ipv4.ip_forward = 1
Configuration on the Cisco machine
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ip-10-87-50-122
!
boot-start-marker
boot-end-marker
!
subscriber templating
!
multilink bundle-name authenticated
!
redundancy
!
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-256
integrity sha1
group 2
!
crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
!
crypto ikev2 keyring keys
peer strongswan
address 54.229.30.BBB
pre-shared-key local ----------------
pre-shared-key remote ----------------
!
!
!
crypto ikev2 profile ikev2profile
match identity remote address 54.229.30.BBB 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
!
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map cmap 10 ipsec-isakmp
set peer 54.229.30.BBB
set transform-set TS
set ikev2-profile ikev2profile
match address cryptoacl
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
crypto map cmap
!
interface GigabitEthernet2
ip address 10.87.189.50 255.255.255.0
ip nat inside
negotiation auto
!
virtual-service csr_mgmt
ip shared host-interface GigabitEthernet1
activate
!
ip nat inside source list NATList interface GigabitEthernet1 overload
ip forward-protocol nd
!
ip access-list extended NATList
permit ip 10.87.189.0 0.0.0.255 any
ip access-list extended cryptoacl
permit ip 10.87.189.0 0.0.0.255 172.31.2.0 0.0.0.255
permit ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255
On establishing the connection from the Strongswan end:
# ipsec up ciscotest
initiating IKE_SA ciscotest[17] to 54.154.54.AAA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.31.1.1[500] to 54.154.54.AAA[500] (1044 bytes)
received packet: from 54.154.54.AAA[500] to 172.31.1.1[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '54.229.30.BBB' (myself) with pre-shared key
establishing CHILD_SA ciscotest
generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
sending packet: from 172.31.1.1[4500] to 54.154.54.AAA[4500] (332 bytes)
received packet: from 54.154.54.AAA[4500] to 172.31.1.1[4500] (252 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
authentication of '10.87.50.122' with pre-shared key successful
IKE_SA ciscotest[17] established between 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
scheduling reauthentication in 27954s
maximum IKE_SA lifetime 28494s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
connection 'ciscotest' established successfully
# ipsec status ciscotest
Security Associations (1 up, 0 connecting):
ciscotest[17]: ESTABLISHED 19 seconds ago, 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
ciscotest{15}: INSTALLED, TUNNEL, ESP in UDP SPIs: c42a57f8_i 1cc99de5_o
ciscotest{15}: 172.31.0.0/16 === 10.87.189.0/24
At the Cisco end
Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 2479 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 2486 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 62 message lines logged
Logging Source-Interface: VRF Name:
Log Buffer (4096 bytes):
edur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb 18 15:41:34.873: Crypto mapdb : proxy_match
src addr : 10.87.189.0
dst addr : 172.31.0.0
protocol : 0
src port : 0
dst port : 0
*Feb 18 15:41:34.873: (ipsec_process_proposal)Map Accepted: cmap, 10
*Feb 18 15:41:34.873: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get peer's preshared key for 54.229.30.BBB
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generate my authentication data
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Use preshared key for id 10.87.50.122, key len 5
*Feb 18 15:41:34.873: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 18 15:41:34.873: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generating IKE_AUTH message
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Constructing IDr payload: '10.87.50.122' of type 'IPv4 address'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Sending Packet [To 54.229.30.BBB:4500/From 10.87.50.122:4500/VRF i0:f0]
Initiator SPI : D88218943FE3BDCA - Responder SPI : D5D0EFB19DDB3A57 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Session with IKE ID PAIR (54.229.30.BBB, 10.87.50.122) is UP
*Feb 18 15:41:34.874: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Load IPSEC key material
*Feb 18 15:41:34.874: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Feb 18 15:41:34.874: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 18 15:41:34.874: Crypto mapdb : proxy_match
src addr : 10.87.189.0
dst addr : 172.31.0.0
protocol : 256
src port : 0
dst port : 0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (crypto_ipsec_create_ipsec_sas) Map found cmap, 10
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
(sa) sa_dest= 10.87.50.122, sa_proto= 50,
sa_spi= 0x1CC99DE5(482975205),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2017
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
local_proxy= 10.87.189.0/255.255.255.0/256/0,
remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
(sa) sa_dest= 54.229.30.BBB, sa_proto= 50,
sa_spi= 0xC42A57F8(3291109368),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2018
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
local_proxy= 10.87.189.0/255.255.255.0/256/0,
remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:35.064: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Checking for duplicate IKEv2 SA
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):No duplicate IKEv2 SA found
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Starting timer (8 sec) to delete negotiation context
The Cisco article above suggests that from the Cisco command line I should be able to do
ping 172.31.2.33 source gigabitethernet 2
to bring up the VPN from the Cisco end but this just states no response. I can ping between the client and Cisco machine in both directions and likewise between the Strongswan and web server in both directions. But no traffic appears to go over the VPN between them either then or once established from the Strongswan end as above.
Edit: some more diagnostics from the CSR1000
ip-10-87-50-122#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: GigabitEthernet1
Session status: DOWN
Peer: 54.229.30.BBB port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: GigabitEthernet1
Profile: ikev2profile
Uptime: 00:00:41
Session status: UP-ACTIVE
Peer: 54.229.30.#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: cmap, local addr 10.87.50.122
protected vrf: (none)
local ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.31.2.0/255.255.255.0/0/0)
current_peer 54.229.30.BBB port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
current_peer 54.229.30.BBB port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 310, #pkts decrypt: 310, #pkts verify: 310
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xC3012269(3271631465)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1CB79056(481792086)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000048, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4608000/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC3012269(3271631465)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2020, flow_id: CSR:20, sibling_flags FFFFFFFF80000048, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4608000/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 54.229.30.BBB
Desc: (none)
Session ID: 21
IKEv2 SA: local 10.87.50.122/4500 remote 54.229.30.BBB/4500 Active
Capabilities:N connid:2 lifetime:23:59:19
IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 310 drop 0 life (KB/Sec) 4608000/3558
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3558
#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 10.87.50.122/4500 54.229.30.BBB/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/126 sec
CE id: 1021, Session-id: 8
Status Description: Negotiation done
Local spi: DEB67BE7456C5407 Remote spi: 1C2A344A8A10262E
Local id: 10.87.50.122
Remote id: 54.229.30.BBB
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPv6 Crypto IKEv2 SA
edit 2: ping example because it doesn't fit in the comments replying below.
ip-10-87-50-96#ping 172.31.1.1 source gigabitEthernet 2 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 172.31.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.87.189.59
..
Success rate is 0 percent (0/2)
The output is the same whether the VPN is uninitated or has been initiated by Strongswan.
Best Answer
So issue turned out to be the access control lists trying to apply NAT rather than routing to the VPN. Using
fixed it.