I am attempting to setup an IPSec tunnel to an external service that we do not control. The tunnel appears to be up but I am unable to ping the private IP address at all. I just receive a Destination host unreachable.
ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:5d:6c:5b:ff
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:5dff:fe6c:5bff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:153830963 errors:0 dropped:0 overruns:0 frame:0
TX packets:157996702 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10393890115 (10.3 GB) TX bytes:15013754691 (15.0 GB)
eth0 Link encap:Ethernet HWaddr 0c:c4:7a:7d:c2:ac
inet addr:129.111.191.242 Bcast:129.111.191.247 Mask:255.255.255.248
inet6 addr: fe80::ec4:7aff:fe7d:c2ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:131498746 errors:0 dropped:0 overruns:0 frame:0
TX packets:166120812 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27289309652 (27.2 GB) TX bytes:163175029250 (163.1 GB)
Memory:fb200000-fb280000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:88829366 errors:0 dropped:0 overruns:0 frame:0
TX packets:88829366 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1816449755157 (1.8 TB) TX bytes:1816449755157 (1.8 TB)
veth1a733da Link encap:Ethernet HWaddr 52:e1:f1:58:ec:1d
inet6 addr: fe80::50e1:f1ff:fe58:ec1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:204 errors:0 dropped:0 overruns:0 frame:0
TX packets:266 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1755510 (1.7 MB) TX bytes:33966 (33.9 KB)
+ A WHOLE WHACK OF OTHER DOCKER CONTAINERS
ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
#plutodebug="dpd control"
plutostderrlog=/var/log/openswan.log
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
interfaces="%defaultroute"
conn easypay-ipsec-vpn
authby=secret
auto=start
ike=3des-sha1;modp1024
ikelifetime=86400s
phase2alg=3des-sha1;modp1024
salifetime=3600s
pfs=yes
left=129.111.191.242
leftsubnet=129.111.191.242/32
right=196.25.143.85
rightsubnet=192.168.200.125/32
ip xrfm policy
src 129.111.191.242/32 dst 192.168.200.125/32
dir out priority 2080
tmpl src 129.111.191.242 dst 196.25.143.85
proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32
dir fwd priority 2080
tmpl src 196.25.143.85 dst 129.111.191.242
proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32
dir in priority 2080
tmpl src 196.25.143.85 dst 129.111.191.242
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
Checking IPSec is up
sudo /usr/sbin/ipsec auto --status | grep easypay
000 "easypay-ipsec-vpn": 129.111.191.242/32===129.111.191.242<129.111.191.242>...196.25.143.85<196.25.143.85>===192.168.200.125/32; erouted; eroute owner: #3
000 "easypay-ipsec-vpn": myip=unset; hisip=unset;
000 "easypay-ipsec-vpn": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "easypay-ipsec-vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "easypay-ipsec-vpn": newest ISAKMP SA: #4; newest IPsec SA: #3;
000 "easypay-ipsec-vpn": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "easypay-ipsec-vpn": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "easypay-ipsec-vpn": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "easypay-ipsec-vpn": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=MODP1024
000 #4: "easypay-ipsec-vpn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 84419s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #3: "easypay-ipsec-vpn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1621s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "easypay-ipsec-vpn" esp.7f654c9@196.25.143.85 esp.273d0069@129.111.191.242 tun.0@196.25.143.85 tun.0@129.111.191.242 ref=0 refhim=4294901761
000 #1: "easypay-ipsec-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 83601s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 129.111.191.241 0.0.0.0 UG 0 0 0 eth0
129.111.191.240 0.0.0.0 255.255.255.248 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c8dc65a94bb2
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-82217b810a12
172.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-7850aa98111b
172.21.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-b1a7c55d62b6
172.22.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-825780b49c2d
172.23.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c54a8b4052f1
172.28.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-9403e62934e3
172.29.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-4b089299a6c4
172.30.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c9e5b9d15f93
172.31.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-20e8b7596a16
192.168.0.0 0.0.0.0 255.255.240.0 U 0 0 0 br-69356c2ae863
192.168.16.0 0.0.0.0 255.255.240.0 U 0 0 0 br-fef7a8477c50
192.168.32.0 0.0.0.0 255.255.240.0 U 0 0 0 br-0f934a7b6bbc
192.168.48.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f436be453bc0
192.168.64.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f58d5b3092b2
192.168.80.0 0.0.0.0 255.255.240.0 U 0 0 0 br-861678c58b1d
192.168.96.0 0.0.0.0 255.255.240.0 U 0 0 0 br-0bea6a9a8ba3
192.168.128.0 0.0.0.0 255.255.240.0 U 0 0 0 br-38704ca6d035
192.168.144.0 0.0.0.0 255.255.240.0 U 0 0 0 br-dd2a427832dc
192.168.160.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f402e867a089
192.168.176.0 0.0.0.0 255.255.240.0 U 0 0 0 br-55b8290a7912
192.168.192.0 0.0.0.0 255.255.240.0 U 0 0 0 br-aad43c0bdf40
192.168.208.0 0.0.0.0 255.255.240.0 U 0 0 0 br-22d7856d7bf3
192.168.224.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f968a9b6da10
192.168.240.0 0.0.0.0 255.255.240.0 U 0 0 0 br-5ee84192e789
So it appears that the Tunnel is up and running but I cannot ping the ip address 192.168.200.125 from the server, neither can I traceroute to it. Any assistance would be greatly appreciated.
Thanks
Update 1
I've made a bit more progress.
sudo ip route get 192.168.200.125
The command above showed that a docker network was somehow getting in the middle. I removed the docker network and now instead of just receiving Destination unreachable it's attempting to ping. Still no luck connecting to the ip though. Might be docker still messing with the routing but not 100% sure.
Update 2
Restarting IPsec seems to resolve the problem.
Best Answer
I had the same problem about ipsec tunnel(using Libreswan). Although the IPsec Tunnel is established, I get the message "Destination host unreachable" when ping to IPv4 address of the host another side.
In my case, because of wrongly setting masquerade table, packets going to a private address are masqueraded with the global IPv4 address which the interface eth0 has.
Therefore, I make new masquerade rules below not to let overwrite the source address of outgoing packet which has the private address destination.
i.e.
The first rule returns packets whose destination address is of private networks. Those packets are going to IPsec Tunnel without masquerade processing. The second rule is normal masquerade. Only the other packets are masqueraded and are going to the Internet.