Disable the source check in the VPC for the strongSwan server in the VPC. Check if forwarding is enabled in sysctl globally for IPv4, too. > sysctl net.ipv6.conf.all.forwarding=1 That is IPv6 only. You're tunneling IPv4 packets though.
BTW, your cipher suite sucks. use something better and use auto = route. Better yet, use a configuration from the UsableExamples page on the wiki. GZ, you just leaked the keys of your SAs via the output of `ip xfrm state`. The output of `iptables -L` is useless. Provide the output of `iptables-save` instead. Generally, adhere to what the HelpRequests page says. Kind regards Noel On 05.01.2018 19:09, Cruz Tovar wrote: > > Below is a network diagram of StrongSwan box configured in Amazon Web > Services with tunnel to a Cisco ASA. > > > > The tunnel between the StrongSwan box and the Cisco device are working > properly, phase 1 and phase 2 have completed. > > > > The issue is that the traffic destined to the StrongSwan box should then be > passed to the 'Test Server' box (172.31.12.176) > > > > I am able to see the ICMP packets sent from the 192.168.20.0/24 network hit > the StrongSwan box, but this traffic is not passed along to the Test Server. > > > > I have enabled forward client traffic and included forward rules for traffic > sourced from the 192.168.20.0/24 subnet to be forwarded to 172.31.12.176. > > > > Does someone have any insight into what I may have configured incorrectly? > > > > |TEST SERVER (172.31.12.176)| ========== Eth1 172.31.12.187 -- |STRONGSWAN > SERVER| -- Eth0 172.31.10.126 (EIP x.x.x.209) ========== Outside Interface > x.x.x.143 -- |CISCO ASA| -- 192.168.20.0/24 Subnet to other hots > > > > StrongSwan Server has two Interfaces: Eth0 and Eth1. > > Eth0 has an EIP associated to it (x.x.x.209) > > Eth1 has an IP of 172.31.12.187 that I believe should pass traffic to > the Test Server > > > > Test Server has an IP address of 172.31.12.176 > > > > Cisco ASA has an outside interface of x.x.x.143 and communicates to the > subnet 192.168.20.0/24. > > > > > > CONFIGS & OUTPUT IP/ROUTE DETAILS > > # ipsec.conf - strongSwan IPsec configuration file > > > > # basic configuration > > > > config setup > > # strictcrlpolicy=yes > > # uniqueids = no > > charondebug="ike 2, knl 2, cfg 2, dmn 2, esp 2, net 2, chd 2" > > > > conn RedSkyPIX-CHI > > type = tunnel > > authby = psk > > auto = start > > keyexchange = ikev1 > > ike = aes128-sha1-modp1024 > > esp = aes128-sha1 > > ikelifetime = 28800s > > keylife = 3600s > > aggressive = no > > left = 172.31.10.126 > > leftsubnet = 172.31.12.0/24 > > leftid = x.x.x.209 > > leftfirewall = yes > > right = x.x.x.143 > > rightsubnet= 192.168.20.0/24 > > rightid = x.x.x.143 > > rightfirewall = yes > > > > > > > > # The following are enabled > > sysctl net.ipv4.ip_forward=1 > > sysctl net.ipv6.conf.all.forwarding=1 > > > > > > # ip route show > > 172.31.12.0/24 dev eth1 proto kernel scope link src 172.31.12.187 > > 172.31.10.0/24 dev eth0 proto kernel scope link src 172.31.10.126 > > 169.254.0.0/16 dev eth0 scope link metric 1002 > > 169.254.0.0/16 dev eth1 scope link metric 1003 > > default via 172.31.10.1 dev eth0 > > > > > > > > # ip -s xfrm state > > src 172.31.10.126 dst x.x.x.143 > > proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel > > replay-window 32 seq 0x00000000 flag 20 (0x00100000) > > auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits) > > enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits) > > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 3055(sec), hard 3600(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:14 use - > > stats: > > replay-window 0 replay 0 failed 0 > > src x.x.x.143 dst 172.31.10.126 > > proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel > > replay-window 32 seq 0x00000000 flag 20 (0x00100000) > > auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits) > > enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits) > > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 2940(sec), hard 3600(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 2160(bytes), 36(packets) > > add 2018-01-04 14:22:14 use 2018-01-04 14:22:19 > > stats: > > replay-window 0 replay 0 failed 0 > > > > > > > > # ip -s xfrm state > > src 172.31.10.126 dst x.x.x.143 > > proto esp spi 0xae1ca856(2921113686) reqid 1(0x00000001) mode tunnel > > replay-window 32 seq 0x00000000 flag 20 (0x00100000) > > auth hmac(sha1) 0x6008d28b0f40c2eb8fa884730aa41fa9da85dcac (160 bits) > > enc cbc(aes) 0xdcfd69f529f3529a026aa2ddefce61bc (128 bits) > > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 3055(sec), hard 3600(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:14 use - > > stats: > > replay-window 0 replay 0 failed 0 > > src x.x.x.143 dst 172.31.10.126 > > proto esp spi 0xc3a540f4(3282387188) reqid 1(0x00000001) mode tunnel > > replay-window 32 seq 0x00000000 flag 20 (0x00100000) > > auth hmac(sha1) 0x840c9d785e7bb09cd5b868ff13295f558191b3e5 (160 bits) > > enc cbc(aes) 0xade0f2bfc266c8fcce9267f2270fcfe1 (128 bits) > > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 2940(sec), hard 3600(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 2520(bytes), 42(packets) > > add 2018-01-04 14:22:14 use 2018-01-04 14:22:19 > > stats: > > replay-window 0 replay 0 failed 0 > > > > > > # ip -s xfrm policy > > src 192.168.20.0/24 dst 172.31.12.176/32 uid 0 > > dir fwd action allow index 1986 priority 2851 ptype main share any > flag (0x00000000) > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:14 use 2018-01-04 14:24:09 > > tmpl src x.x.x.143 dst 172.31.10.126 > > proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel > > level required share any > > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > > src 192.168.20.0/24 dst 172.31.12.176/32 uid 0 > > dir in action allow index 1976 priority 2851 ptype main share any > flag (0x00000000) > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:14 use - > > tmpl src x.x.x.143 dst 172.31.10.126 > > proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel > > level required share any > > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > > src 172.31.12.176/32 dst 192.168.20.0/24 uid 0 > > dir out action allow index 1969 priority 2851 ptype main share any > flag (0x00000000) > > lifetime config: > > limit: soft (INF)(bytes), hard (INF)(bytes) > > limit: soft (INF)(packets), hard (INF)(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:14 use - > > tmpl src 172.31.10.126 dst x.x.x.143 > > proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel > > level required share any > > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > > dir 3 action allow index 1963 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use 2018-01-04 14:24:09 > > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > > dir 4 action allow index 1956 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use 2018-01-04 14:23:58 > > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > > dir 3 action allow index 1947 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use 2018-01-04 14:22:14 > > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > > dir 4 action allow index 1940 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use 2018-01-04 14:22:14 > > src ::/0 dst ::/0 uid 0 > > dir 3 action allow index 1931 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use - > > src ::/0 dst ::/0 uid 0 > > dir 4 action allow index 1924 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use - > > src ::/0 dst ::/0 uid 0 > > dir 3 action allow index 1915 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use - > > src ::/0 dst ::/0 uid 0 > > dir 4 action allow index 1908 priority 0 ptype main share any flag > (0x00000000) > > lifetime config: > > limit: soft 0(bytes), hard 0(bytes) > > limit: soft 0(packets), hard 0(packets) > > expire add: soft 0(sec), hard 0(sec) > > expire use: soft 0(sec), hard 0(sec) > > lifetime current: > > 0(bytes), 0(packets) > > add 2018-01-04 14:22:11 use – > > > > > > # iptables -L -n > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp > dpt:22 > > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 > dpt:500 > > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 > dpt:4500 > > LOGDROP all -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 > > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > > LOGDROP all -- 0.0.0.0/0 0.0.0.0/0 > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > ACCEPT all -- 192.168.20.0/24 172.31.12.176 policy match dir > in pol ipsec reqid 1 proto 50 > > ACCEPT all -- 172.31.12.176 192.168.20.0/24 policy match dir > out pol ipsec reqid 1 proto 50 > > LOGDROP all -- 0.0.0.0/0 0.0.0.0/0 > > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-host-prohibited > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 > > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 > dpt:500 > > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500 > dpt:4500 > > > > Chain LOGDROP (3 references) > > target prot opt source destination > > LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 > level 4 > > >
signature.asc
Description: OpenPGP digital signature
