Re: [Swan] LibreSwan VPN Established | No Data Passing Through

Fri, 18 Nov 2022 07:48:34 -0800 


On 18/11/2022 07:31, Kumar P S Udai wrote:


Dear Libre Team

I have been having a long pending problem with a VPN I am trying to 
establish between two CentOS 8 machines.
One is at the HO establishing connection to three other branch offices, 
while all three are getting connected, at one branch office the public 
IP is not configured on the machine directly, but on an external 
vendor's router.  Initially I had trouble establishing connection to 
this unit, but after a lot of reading and config change, the connection 
is getting established now, but I cannot ping or reach each other.  
Attaching the config details FYI please.  Would appreciate any help from 
the community.



Thank you, Best wishes

Udai

----------------

ON MACHINE PLUTO

IP Configuration


2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state 
UP group default qlen 1000

     link/ether 10:e7:c6:30:79:0e brd ff:ff:ff:ff:ff:ff

     inet 192.168.14.129/24 <http://192.168.14.129/24> brd 
192.168.14.255 scope global noprefixroute eno1

        valid_lft forever preferred_lft forever
     inet6 fe80::12e7:c6ff:fe30:790e/64 scope link noprefixroute
        valid_lft forever preferred_lft forever


3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel 
state UP group default qlen 1000

     link/ether 68:05:ca:e9:bc:a2 brd ff:ff:ff:ff:ff:ff

     inet 10.10.128.100/24 <http://10.10.128.100/24> brd 10.10.128.255 
scope global noprefixroute enp1s0

        valid_lft forever preferred_lft forever
     inet6 fe80::6a05:caff:fee9:bca2/64 scope link noprefixroute
        valid_lft forever preferred_lft forever


conn PLSUBNET
also=PLUTO-EUROPA
leftsubnet=192.168.14.0/24 <http://192.168.14.0/24>
leftsourceip=192.168.14.129
rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
rightsourceip=192.168.1.1
auto=start
conn PLUTO-EUROPA
type=tunnel
left=%defaultroute

leftid=1.2.3.4  (This public IP is not configured on this machine PLUTO, 
but on an externally facing router)

right=9.8.7.6  (This public IP is directly configured on the EUROPA machine)
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes


000 Connection list:
000

000 "PLSUBNET": 
192.168.14.0/24===10.10.128.100[1.2.3.4]---10.10.128.1...9.8.7.6 
<http://192.168.14.0/24===10.10.128.100[1.2.3.4]---10.10.128.1...9.8.7.6><9.8.7.6>===192.168.1.0/24 <http://192.168.1.0/24>; erouted; eroute owner: #45
000 "PLSUBNET":     oriented; my_ip=192.168.14.129; 
their_ip=192.168.1.1; my_updown=ipsec _updown;
000 "PLSUBNET":   xauth us:none, xauth them:none,  my_username=[any]; 
their_username=[any]

000 "PLSUBNET":   our auth:secret, their auth:secret

000 "PLSUBNET":   modecfg info: us:none, them:none, modecfg policy:push, 
dns:unset, domains:unset, cat:unset;

000 "PLSUBNET":   sec_label:unset;

000 "PLSUBNET":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 
32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "PLSUBNET":   retransmit-interval: 500ms; retransmit-timeout: 60s; 
iketcp:no; iketcp-port:4500;
000 "PLSUBNET":   initial-contact:no; cisco-unity:no; 
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;

000 "PLSUBNET":   policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO;
000 "PLSUBNET":   v2-auth-hash-policy: none;

000 "PLSUBNET":   conn_prio: 24,24; interface: enp1s0; metric: 0; mtu: 
unset; sa_prio:auto; sa_tfc:none;
000 "PLSUBNET":   nflog-group: unset; mark: unset; vti-iface:unset; 
vti-routing:no; vti-shared:no; nic-offload:auto;
000 "PLSUBNET":   our idtype: ID_IPV4_ADDR; our id=1.2.3.4; their 
idtype: ID_IPV4_ADDR; their id=9.8.7.6
000 "PLSUBNET":   dpd: action:restart; delay:5; timeout:120; nat-t: 
encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "PLSUBNET":   newest ISAKMP SA: #44; newest IPsec SA: #45; conn 
serial: $1;
000 "PLSUBNET":   IKE algorithms: 
AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH21

000 "PLSUBNET":   IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21

000 "PLSUBNET":   ESP algorithms: 
AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128
000 "PLSUBNET":   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256; 
pfsgroup=<N/A>

000
000 Total IPsec connections: loaded 1, active 1
000

000 State Information: DDoS cookies not required, Accepting new IKE 
connections

000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000

000 #44: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE 
SA); EVENT_SA_REKEY in 9874s; newest ISAKMP; idle;
000 #45: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA 
established); EVENT_SA_REKEY in 10446s; newest IPSEC; eroute owner; 
isakmp#44; idle;
000 #45: "PLSUBNET" [email protected] <mailto:[email protected]> 
[email protected] <mailto:[email protected]> 
[email protected] <mailto:[email protected]> [email protected] 
<mailto:[email protected]> Traffic: ESPin=1KB ESPout=0B! ESPmax=0B




ON MACHINE EUROPA

IP Configuration


2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state 
UP group default qlen 1000

     link/ether 10:e7:c6:30:78:e9 brd ff:ff:ff:ff:ff:ff

     inet 192.168.1.1/24 <http://192.168.1.1/24> brd 192.168.1.255 scope 
global noprefixroute eno1

        valid_lft forever preferred_lft forever
     inet6 fe80::12e7:c6ff:fe30:78e9/64 scope link
        valid_lft forever preferred_lft forever


3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel 
state UP group default qlen 1000

     link/ether 00:1b:21:39:57:5f brd ff:ff:ff:ff:ff:ff

     inet 9.8.7.6/27 <http://9.8.7.6/27> brd 9.8.7.255 scope global 
noprefixroute enp1s0

        valid_lft forever preferred_lft forever


conn PLUTOSUBNET
also=EUROPA-PLUTO
leftsubnet=192.168.14.0/24 <http://192.168.14.0/24>
leftsourceip=192.168.14.129
rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
rightsourceip=192.168.1.1
auto=start
conn EUROPA-PLUTO
type=tunnel
left=1.2.3.4
right=9.8.7.6
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes



000 "PLUTOSUBNET": 192.168.1.0/24===9.8.7.6 
<http://192.168.1.0/24===9.8.7.6><9.8.7.6>...1.2.3.4<1.2.3.4>===192.168.14.0/24 <http://192.168.14.0/24>; erouted; eroute owner: #6276
000 "PLUTOSUBNET":     oriented; my_ip=192.168.1.1; 
their_ip=192.168.14.129; my_updown=ipsec _updown;
000 "PLUTOSUBNET":   xauth us:none, xauth them:none,  my_username=[any]; 
their_username=[any]

000 "PLUTOSUBNET":   our auth:secret, their auth:secret

000 "PLUTOSUBNET":   modecfg info: us:none, them:none, modecfg 
policy:push, dns:unset, domains:unset, cat:unset;

000 "PLUTOSUBNET":   sec_label:unset;

000 "PLUTOSUBNET":   ike_life: 28800s; ipsec_life: 28800s; 
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "PLUTOSUBNET":   retransmit-interval: 500ms; retransmit-timeout: 
60s; iketcp:no; iketcp-port:4500;
000 "PLUTOSUBNET":   initial-contact:no; cisco-unity:no; 
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "PLUTOSUBNET":   policy: 
IKEv2+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO;

000 "PLUTOSUBNET":   v2-auth-hash-policy: none;

000 "PLUTOSUBNET":   conn_prio: 24,24; interface: enp1s0; metric: 0; 
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "PLUTOSUBNET":   nflog-group: unset; mark: unset; vti-iface:unset; 
vti-routing:no; vti-shared:no; nic-offload:auto;
000 "PLUTOSUBNET":   our idtype: ID_IPV4_ADDR; our id=9.8.7.6; their 
idtype: ID_IPV4_ADDR; their id=1.2.3.4
000 "PLUTOSUBNET":   dpd: action:restart; delay:5; timeout:120; nat-t: 
encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "PLUTOSUBNET":   newest ISAKMP SA: #6275; newest IPsec SA: #6276; 
conn serial: $4;
000 "PLUTOSUBNET":   IKE algorithms: 
AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH21

000 "PLUTOSUBNET":   IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21

000 "PLUTOSUBNET":   ESP algorithms: 
AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128
000 "PLUTOSUBNET":   ESP algorithm newest: 
AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A>

000
000 Total IPsec connections: loaded 3, active 3
000

000 State Information: DDoS cookies not required, Accepting new IKE 
connections

000 IKE SAs: total(3), half-open(0), open(0), authenticated(3), anonymous(0)
000 IPsec SAs: total(3), authenticated(3), anonymous(0)
000

000 State Information: DDoS cookies not required, Accepting new IKE 
connections

000 IKE SAs: total(3), half-open(0), open(0), authenticated(3), anonymous(0)
000 IPsec SAs: total(3), authenticated(3), anonymous(0)
000

000 #6275: "PLUTOSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established 
IKE SA); EVENT_SA_REKEY in 8486s; newest ISAKMP; idle;
000 #6276: "PLUTOSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA 
established); EVENT_SA_REKEY in 8662s; newest IPSEC; eroute owner; 
isakmp#6275; idle;
000 #6276: "PLUTOSUBNET" [email protected] 
<mailto:[email protected]> [email protected] 
<mailto:[email protected]> [email protected] <mailto:[email protected]> 
[email protected] <mailto:[email protected]> Traffic: ESPin=0B ESPout=1KB! 
ESPmax=0B

000



What firewall rules have you put in place? See 
https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working, but I don't 
know the firewall-cmd equivalent.



Btw, once you have switched to ikev2 your left/rightid can be anything 
you want as long as they agree. It is probably easier not to mess around 
with IP addresses and just set them to something like @EUROPA and 
@PLUTO. This is especially useful if you have a DDNS, but can also 
simplify a fixed IP set up.


Nick
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to