I have already searched for hours on this and many other sites and even though people have had similar issues, I haven't found one that can fix my problem.
I am trying to configure an IPsec tunnel from my computer to a virtual machine on a server using strongswan (by swanctl.conf). I have previously made the IPsec connection but from another device. I am using the same configuration (swanctl.conf)
but something else does not seem to fit. My machine (10.3.72.29) gets a virtual ip (172.13.14.2) and establishes a connection to the server's device (10.3.218.62) with its own virtual ip (192.168.122.2)
My current configuration:
My PC (Initiator) swanctl.conf:
connections {
ch_vti0 {
send_cert = always
encap = yes
vips = 0.0.0.0
remote_addrs = 10.3.218.62
local {
round = 1
id = 10.3.72.29
auth = psk
certs =
}
remote {
auth = psk
id = 10.3.218.62
certs =
}
children {
ch_vti0 {
mark_in = 42
mark_out = 42
remote_ts = 192.168.122.2/24
local_ts = dynamic
inactivity = 300s
mode = tunnel
esp_proposals = 3des-sha1-modp2048
updown = /usr/local/etc/swanctl/updown.sh 0
}
}
version = 1
proposals = des-md5-modp768, des-md5-modp1024, des-md5-modp1536
} }
secrets {
eap-xauth {
eap_id = test1
id = test1
secret = password
}
xauth-local {
id = test1
secret = password
}
ike-sec {
id = %any
secret = test
}
ike-local {
id = 10.3.72.29
secret = test
}
}
The server's virtual machine swanctl.conf:
connections {
ch_vti0 {
send_cert = always
encap = yes
pools = pools_users
#aggressive = yes
local {
round = 1
id = 10.3.218.62
auth = psk
certs =
}
remote {
auth = psk
id = %any
certs =
}
children {
ch_vti0 {
local_ts = 192.168.122.2/24
inactivity = 120s
mode = tunnel
esp_proposals = 3des-sha1-modp2048
updown = /usr/local/libexec/ipsec/_updown iptables
}
}
version = 0
proposals = des-md5-modp768, des-md5-modp1024, des-md5-modp1536
} }
pools {
pools_users {
addrs = 172.13.14.2/24
}
}
secrets {
eap-xauth {
eap_id = test1
id = test1
secret = password
}
xauth-local {
id = test1
secret = password
}
ike-sec {
id = %any
secret = test
}
ike-local {
id = 10.3.218.62
secret = test
}
}
If anyone is wondering the updown.sh script creates the vti0 interface and routes
Result from ipsec statusall on my PC:
Listening IP addresses:
10.3.72.29
fdc8:c2cb:4586:cc11::8f00:5a9
172.13.14.2
Connections:
ch_vti0: %any...10.3.218.62 IKEv1
ch_vti0: local: [10.3.72.29] uses pre-shared key authentication
ch_vti0: remote: [10.3.218.62] uses pre-shared key authentication
ch_vti0: child: dynamic === 192.168.122.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
ch_vti0[1]: ESTABLISHED 13 minutes ago, 10.3.72.29[10.3.72.29]...10.3.218.62[10.3.218.62]
ch_vti0[1]: IKEv1 SPIs: 7fa996a60f87e923_i* 4faa8dbdd74a5927_r, rekeying in 3 hours
ch_vti0[1]: IKE proposal: DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
ch_vti0{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c393a4bb_i c392a387_o
ch_vti0{1}: 3DES_CBC/HMAC_SHA1_96/MODP_2048, 65772 bytes_i (783 pkts, 0s ago), 0 bytes_o, rekeying in 42 minutes
ch_vti0{1}: 172.13.14.2/32 === 192.168.122.0/24
Server's device:
Listening IP addresses:
192.168.122.2
10.3.218.62
fdc8:c2cb:4586:cc12::e49c:faf8
Connections:
ch_vti0: %any...%any IKEv1/2
ch_vti0: local: [10.3.218.62] uses pre-shared key authentication
ch_vti0: remote: [%any] uses pre-shared key authentication
ch_vti0: child: 192.168.122.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
ch_vti0[1]: ESTABLISHED 14 minutes ago, 10.3.218.62[10.3.218.62]...10.3.72.29[10.3.72.29]
ch_vti0[1]: IKEv1 SPIs: 7fa996a60f87e923_i 4faa8dbdd74a5927_r*, rekeying in 3 hours
ch_vti0[1]: IKE proposal: DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
ch_vti0{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c392a387_i c393a4bb_o
ch_vti0{1}: 3DES_CBC/HMAC_SHA1_96/MODP_2048, 0 bytes_i, 68880 bytes_o (820 pkts, 0s ago), rekeying in 44 minutes
ch_vti0{1}: 192.168.122.0/24 === 172.13.14.2/32
Routes on my pc:
root@malz:/usr/local/etc/swanctl# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.3.127.1 0.0.0.0 UG 100 0 0 enp2s0
10.3.0.0 0.0.0.0 255.255.0.0 U 100 0 0 enp2s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 vti0
Routes on server's device:
root@server-automation-2:/etc/swanctl# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.3.127.1 0.0.0.0 UG 0 0 0 ens4
10.3.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ens4
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3
I have allowed the ports that IPsec uses(500,4500,4500/udp,500/udp), tried disabling the firewalls on both of them, Cleared the iptables and allowed everything:
iptables -F
iptables -I INPUT -j ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
I have also checked the sysctl parameters for droping packets (especially those about icmp requests)
If I try to catch the packets with tcpdump
I can see I do receive them from the server's device (ping icmp packets)
but my PC doesn't respond
If I try to send packets the server's device doesn't catch them and my PC's IPsec interface TX error packets increase.
From ifconfig:
vti0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480
inet 172.13.14.2 netmask 255.255.255.255 destination 172.13.14.2
inet6 fe80::5efe:a03:481d prefixlen 64 scopeid 0x20<link>
tunnel txqueuelen 1000 (IPIP Tunnel)
RX packets 1063 bytes 89292 (89.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 57 dropped 0 overruns 0 carrier 57 collisions 0
In conclusion, I have set up the ipsec connection between the two machines but I can't figure out why one of them can't transmit packages and doesn't respond to the others pings.
I am fairly certain the cause of all this isn't the ipsec configuration, because I have already previously mentioned I have tested it before and it works with the exact same conf file (excluding changing ips)
If anyone can give me even a hint I would really appreciate it.
Best Answer
Steps of troubleshooting (from bottom to top):
Run the tcpdump. You should see clear and encrypted packets (ESP).
Check the ip connectivity between ends of the ipsec tunnel.
Check the routing. By default the strongswan install the additional routes into a separate routing table. Run
ip -4 r ls table 220
. Investigate the output. To check the actual routes use theip route get <dst>
command. Don't use theroute -n
command - it returns the uncompleted view.Check the output of
ip -s -s xfrm state list
andip -s -s -d xfrm policy list
. It shows the system SADB (Security Associations Data Base) and policy DB. Your vti interface has some carrier errors. Carrier error on the vti interface means:ip x p get ...
command.ip route get ...
command.ip x s ls
command.Check the firewall. The iptables command by default works with the
filter
table, but there are other tables (raw, nat, mangle). Better use theiptables-save -c
command to list the full rule set. After the changing of the nat rules clear the conntrack table with theconntrack -F
command. The ipsec traffic passes the firewall chains twice: one pass as encrypted, other pass as clear. So investigate the rules. Also you can insert theNFLOG
target rules to capture the traffic withtcpdump -ni nflog...
command.