I've muddled up my configuration.
I've setup a site-to-site VPN between an AWS Ubuntu VM running strongswan, and another site.
The VPN tunnel is working, but anytime I try to route traffic through the tunnel from the other site, there is no response coming back, through the tunnel. But requests can also reach the AWS Site through the internet, I had to allow this so that I could buy some time to fix the configuration properly.
I know the iptables configuration is messed up but I am unsure what to clean up.
AWS Ubuntu Strongswan ipsec.conf:
config setup
strictcrlpolicy=no
uniqueids=no
charondebug=”ike4, knl4, cfg 2”
conn awsUbuntu-otherSide
auto=add
keyexchange=ikev1
ike=aes256-sha256-modp1024
esp=aes256-sha256
leftid=2.2.2.200
leftsubnet=2.2.2.200/32
left=192.168.2.205
leftsourceip=2.2.2.200
leftfirewall=yes
leftauth=psk
right=1.1.1.50
rightid=1.1.1.50
rightsubnet=1.1.1.52/32
rightauth=psk
ikelifetime=86400s
keylife=3600s
rekeymargin=540s
keyingtries=1
authby=secret
mobike=no
dpdaction=restart
AWS Ubuntu iptables:
# Generated by iptables-save v1.6.0 on Fri May 4 13:15:58 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [92:10960]
-A INPUT -i lo -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6000 -j ACCEPT
-A INPUT -s 1.1.1.48/29 -j ACCEPT
-A INPUT -p tcp -m policy --dir in --pol ipsec -m tcp --dport 6000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3014 -j ACCEPT
-A FORWARD -s 1.1.1.52/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 102 --proto esp -j ACCEPT
-A FORWARD -s 2.2.2.200/32 -d 1.1.1.52/32 -o eth0 -m policy --dir out --pol ipsec --reqid 102 --proto esp -j ACCEPT
-A FORWARD -s 1.1.1.52/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 2.2.2.200/32 -d 1.1.1.52/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 1.1.1.50/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 2.2.2.200/32 -d 1.1.1.50/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 1.1.1.50/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 2.2.2.200/32 -d 1.1.1.50/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p esp -j ACCEPT
-A OUTPUT -o eth0 -p ah -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 6000 -j ACCEPT
-A OUTPUT -d 1.1.1.48/29 -j ACCEPT
-A OUTPUT -p tcp -m policy --dir out --pol ipsec -m tcp --sport 6000 -j ACCEPT
COMMIT
# Completed on Fri May 4 13:15:58 2018
# Generated by iptables-save v1.6.0 on Fri May 4 13:15:58 2018
*nat
:PREROUTING ACCEPT [15231:920394]
:INPUT ACCEPT [368:21952]
:OUTPUT ACCEPT [56:5926]
:POSTROUTING ACCEPT [56:5926]
COMMIT
# Completed on Fri May 4 13:15:58 2018
Ive allowed strongswan to modify the firewall configuration, but what I think I am missing is a proper nat rule to ensure tunnel traffic responses go back out the tunnel. Please can someone tell me what I am doing wrong?
ipsec auto status
andip xfrm policy
route -n
. Does your site-to-site tunnel use existing internal networks on both ends?ip xfrm policy
should show in/fwd/out rules for your tunnel ends. Also watch out that your internal networks are not in the denied private ranges of strongswan.