Hello Matt, That's still lacking the output of `ip address`, `ip rule` and `ip route show table all`. Anyway, make sure forwarding is enabled on both hosts via `sysctl net.ipv4.ip_forward` and for the interfaces involved `sysctl net.ipv4.conf.<interface>.forwarding`. The values have to be set to 1.
Kind regards Noel Am 27.11.19 um 12:32 schrieb Matt Frederick: > Hello, thanks for your reply. My apologies, please see firewall config below. > Regarding the TS, it does define the two hosts I would like to connect over > VPN. Currently I'm not trying to add networks; simply ping 172.16.20.24 from > 172.31.18.117. I appreciate your help, matt > > # Generated by iptables-save v1.4.21 on Wed Nov 27 11:22:57 2019 > > *filter > > :INPUT ACCEPT [2199:206359] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [2080:231588] > > -A FORWARD -s 172.16.20.24/32 <http://172.16.20.24/32> -d 172.31.18.117/32 > <http://172.31.18.117/32> -i eth0 -m policy --dir in --pol ipsec --reqid 14 > --proto esp -j ACCEPT > > -A FORWARD -s 172.31.18.117/32 <http://172.31.18.117/32> -d 172.16.20.24/32 > <http://172.16.20.24/32> -o eth0 -m policy --dir out --pol ipsec --reqid 14 > --proto esp -j ACCEPT > > COMMIT > > > [root@ip-172-31-26-241 ec2-user]# ip xfrm pol > > src 172.31.18.117/32 <http://172.31.18.117/32> dst 172.16.20.24/32 > <http://172.16.20.24/32> > > dir out priority 367231 ptype main > > mark 0xe/0xffffffff > > tmpl src 172.31.26.241 dst 172.16.20.13 > > proto esp spi 0xc41b426a reqid 14 mode tunnel > > src 172.16.20.24/32 <http://172.16.20.24/32> dst 172.31.18.117/32 > <http://172.31.18.117/32> > > dir fwd priority 367231 ptype main > > mark 0xe/0xffffffff > > tmpl src 172.16.20.13 dst 172.31.26.241 > > proto esp reqid 14 mode tunnel > > src 172.16.20.24/32 <http://172.16.20.24/32> dst 172.31.18.117/32 > <http://172.31.18.117/32> > > dir in priority 367231 ptype main > > mark 0xe/0xffffffff > > tmpl src 172.16.20.13 dst 172.31.26.241 > > proto esp reqid 14 mode tunnel > > > Security Associations (1 up, 0 connecting): > > ec2test2[10]: ESTABLISHED 5 hours ago, > 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13] > > ec2test2[10]: IKEv2 SPIs: 17e28b4e6d4717f3_i* d5c2d25c083280be_r, > pre-shared key reauthentication in 2 hours > > ec2test2[10]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 > > ec2test2{101}: INSTALLED, TUNNEL, reqid 14, ESP in UDP SPIs: ccf32809_i > c41b426a_o > > ec2test2{101}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, > rekeying in 4 minutes > > ec2test2{101}: 172.31.18.117/32 <http://172.31.18.117/32> === > 172.16.20.24/32 <http://172.16.20.24/32> > > > > On Wed, Nov 27, 2019 at 1:43 AM Noel Kuntze > <[email protected]> wrote: > > Hello Matt, > > > ec2test2{73}: 172.31.18.117/32 <http://172.31.18.117/32> === > 172.16.20.24/32 <http://172.16.20.24/32> > Your TS only allows traffic between the IPs on the two hosts. To allow > traffic between other subnets, they need to be included in the TS. > > Also, please use the exact commands as shown on the HelpRequests[1] page > to get useful debugging data. > iptables -L or -S isn't useful. > > Kind regards > > Noel > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests > > Am 26.11.19 um 16:46 schrieb Matt Frederick: > > > > Hi, I'm looking for some help with a VPN I have set up. This VPN > connects two AWS VPCs, and is a learning opportunity for me, in preparation > for a larger project next year. > > > > In this case, I have 4 computers, two being strongswan boxes, with two > client machines. the layout is such: > > > > 172.16.20.24 <=> 172.16.20.13 <=> 172.31.26.241 <=> 172.31.18.117 > > > > where 172.16.20.13 and 172.31.26.241 are strongswan boxes, with an > IPSec tunnel between them. 172.16.20.24 and 172.16.20.13 can ping each other, > and 172.31.26.241 and 172.31.18.117 can ping each other. > > > > 172.16.20.24 attempts to ping 172.31.18.117 over the tunnel. > > > > Currently, routing between the VPCs is limited to the strongswan boxes, > to ensure that the client traffic traverses the tunnel. > > > > for this test, client machines are statically routing the target > machine to the VPN machines, and when I ping from 18.117 to 20.24, I see the > packet (twice in tcpdump) at 26.241, but it does not see traffic on the VPN, > nor on the receiving side. > > > > thanks in advance, m > > > > All seems well, and the tunnels come up (conn ec2test2): > > > > Connections: > > ec2test2: 172.31.26.241...172.16.20.13 IKEv2 > > ec2test2: local: [172.31.26.241] uses pre-shared key > authentication > > ec2test2: remote: [172.16.20.13] uses pre-shared key > authentication > > ec2test2: child: 172.31.18.117/32 <http://172.31.18.117/32> > <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> > <http://172.16.20.24/32> TUNNEL > > Security Associations (1 up, 0 connecting): > > ec2test2[8]: ESTABLISHED 23 seconds ago, > 172.31.26.241[172.31.26.241]...172.16.20.13[172.16.20.13] > > ec2test2[8]: IKEv2 SPIs: e048424b128299d7_i* 5790cae7fadc96ff_r, > pre-shared key reauthentication in 7 hours > > ec2test2[8]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 > > ec2test2{73}: INSTALLED, TUNNEL, reqid 12, ESP in UDP SPIs: > c1ce842f_i cc636877_o > > ec2test2{73}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, > rekeying in 43 minutes > > ec2test2{73}: 172.31.18.117/32 <http://172.31.18.117/32> > <http://172.31.18.117/32> === 172.16.20.24/32 <http://172.16.20.24/32> > <http://172.16.20.24/32> > > > > ipsec.conf: > > conn ec2test2 > > right=172.16.20.13 > > left=172.31.26.241 > > leftfirewall=yes > > rightsubnet=172.16.20.24/32 <http://172.16.20.24/32> > <http://172.16.20.24/32> > > leftsubnet=172.31.18.117/32 <http://172.31.18.117/32> > <http://172.31.18.117/32> > > rightfirewall=yes > > ike=aes256-sha1-modp1536! > > keyexchange=ikev2 > > ikelifetime=28800s > > esp=aes256-sha1-modp1536! > > keylife=3600s > > rekeymargin=540s > > type=tunnel > > compress=no > > authby=secret > > mark=%unique > > auto=start > > keyingtries=%forever > > forceencaps=yes > > mobike=no > > > > > > firewall rules seem ok (they are added by strongswan): > > [root@ip-172-31-26-241 ec2-user]# iptables -S > > -P INPUT ACCEPT > > -P FORWARD ACCEPT > > -P OUTPUT ACCEPT > > -A FORWARD -s 172.16.20.24/32 <http://172.16.20.24/32> > <http://172.16.20.24/32> -d 172.31.18.117/32 <http://172.31.18.117/32> > <http://172.31.18.117/32> -i eth0 -m policy --dir in --pol ipsec --reqid 12 > --proto esp -j ACCEPT > > -A FORWARD -s 172.31.18.117/32 <http://172.31.18.117/32> > <http://172.31.18.117/32> -d 172.16.20.24/32 <http://172.16.20.24/32> > <http://172.16.20.24/32> -o eth0 -m policy --dir out --pol ipsec --reqid 12 > --proto esp -j ACCEPT > > > > [root@ip-172-31-26-241 ec2-user]# ip xfrm pol > > src 172.31.18.117/32 <http://172.31.18.117/32> > <http://172.31.18.117/32> dst 172.16.20.24/32 <http://172.16.20.24/32> > <http://172.16.20.24/32> > > dir out priority 367231 ptype main > > mark 0xc/0xffffffff > > tmpl src 172.31.26.241 dst 172.16.20.13 > > proto esp spi 0xcc636877 reqid 12 mode tunnel > > src 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> > dst 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> > > dir fwd priority 367231 ptype main > > mark 0xc/0xffffffff > > tmpl src 172.16.20.13 dst 172.31.26.241 > > proto esp reqid 12 mode tunnel > > src 172.16.20.24/32 <http://172.16.20.24/32> <http://172.16.20.24/32> > dst 172.31.18.117/32 <http://172.31.18.117/32> <http://172.31.18.117/32> > > dir in priority 367231 ptype main > > mark 0xc/0xffffffff > > tmpl src 172.16.20.13 dst 172.31.26.241 > > proto esp reqid 12 mode tunnel > > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 > <http://0.0.0.0/0> <http://0.0.0.0/0> > > socket in priority 0 ptype main > > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 > <http://0.0.0.0/0> <http://0.0.0.0/0> > > socket out priority 0 ptype main > > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 > <http://0.0.0.0/0> <http://0.0.0.0/0> > > socket in priority 0 ptype main > > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 > <http://0.0.0.0/0> <http://0.0.0.0/0> > > socket out priority 0 ptype main > > src ::/0 dst ::/0 > > socket in priority 0 ptype main > > src ::/0 dst ::/0 > > socket out priority 0 ptype main > > src ::/0 dst ::/0 > > socket in priority 0 ptype main > > src ::/0 dst ::/0 > > socket out priority 0 ptype main > > > > [root@ip-172-31-26-241 ec2-user]# ip xfrm state > > src 172.31.26.241 dst 172.16.20.13 > > proto esp spi 0xcc636877 reqid 12 mode tunnel > > replay-window 0 flag af-unspec > > mark 0xc/0xffffffff > > auth-trunc hmac(sha1) 0xf323a6acb5a1517bba18285fa54a3d51e237a4de 96 > > enc cbc(aes) > 0xccb4bea13f0bf1a8fa24dac0de7dd73751005dc85a271a3f484bae125475808e > > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > > src 172.16.20.13 dst 172.31.26.241 > > proto esp spi 0xc1ce842f reqid 12 mode tunnel > > replay-window 32 flag af-unspec > > auth-trunc hmac(sha1) 0xa6e93c716c71a248b716bcdf5c9d0bbf2266d40f 96 > > enc cbc(aes) > 0xffbeff56638b45c0d94bd33b1dfe9ded84aad68866bf1d44e9f01dc2eecf0660 > > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > > > > > > > > *Confidentiality and Privacy Notice: *Information transmitted by this > email is proprietary to [m]pirik and is intended for use only by the > individual or entity to which it is addressed, and may contain information > that is private, privileged, confidential or exempt from disclosure under > applicable law. All personal messages express views solely of the sender, are > not to be attributed to [m]pirik, and may not be copied or distributed > without this disclaimer. If you are not the intended recipient or it appears > that this mail has been forwarded to you without proper authority, you are > notified that any use or dissemination of this information in any manner is > strictly prohibited. In such cases, please delete this mail from your records. > > > > > > -- > > Matthew Frederick____ > > [email protected] <mailto:[email protected]>____ > > W +414.220.4384____ > > https://drive.google.com/uc?export=view&id=0B1zlO2x-IYxRYUY4V29seHRoRDA > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.mpirik.com&d=DwMFaQ&c=4mrNADMi6Tvf-kGUfW12lHtG2IOrmU6d6xRlApqgiGQ&r=IEBIr_2fBfdV1mXHBWue9rgiGBHw42iWfqNJ_h2ORgo&m=_-6x0Jigz5qgu8IWG_nP4oBRg7jqZDHFlT-4YTDZbS0&s=8VljVoezXqInFJE2LwcJvMmw8Q_VjSyD0D56ydR_bVM&e=> > > > *Confidentiality and Privacy Notice: *Information transmitted by this email > is proprietary to [m]pirik and is intended for use only by the individual or > entity to which it is addressed, and may contain information that is private, > privileged, confidential or exempt from disclosure under applicable law. All > personal messages express views solely of the sender, are not to be > attributed to [m]pirik, and may not be copied or distributed without this > disclaimer. If you are not the intended recipient or it appears that this > mail has been forwarded to you without proper authority, you are notified > that any use or dissemination of this information in any manner is strictly > prohibited. In such cases, please delete this mail from your records. >
signature.asc
Description: OpenPGP digital signature
