0

I've muddled up my configuration.

I've setup a site-to-site VPN between an AWS Ubuntu VM running strongswan, and another site.

The VPN tunnel is working, but anytime I try to route traffic through the tunnel from the other site, there is no response coming back, through the tunnel. But requests can also reach the AWS Site through the internet, I had to allow this so that I could buy some time to fix the configuration properly.

I know the iptables configuration is messed up but I am unsure what to clean up.

    AWS Ubuntu Strongswan ipsec.conf:       
        config setup
         strictcrlpolicy=no
         uniqueids=no
         charondebug=”ike4, knl4, cfg 2”


        conn awsUbuntu-otherSide
         auto=add
         keyexchange=ikev1
         ike=aes256-sha256-modp1024
         esp=aes256-sha256
         leftid=2.2.2.200
         leftsubnet=2.2.2.200/32
         left=192.168.2.205
         leftsourceip=2.2.2.200
         leftfirewall=yes
         leftauth=psk
         right=1.1.1.50
         rightid=1.1.1.50
         rightsubnet=1.1.1.52/32
         rightauth=psk
         ikelifetime=86400s
         keylife=3600s
         rekeymargin=540s
         keyingtries=1
         authby=secret
         mobike=no
         dpdaction=restart


AWS Ubuntu iptables:    
        # Generated by iptables-save v1.6.0 on Fri May  4 13:15:58 2018
        *filter
        :INPUT DROP [0:0]
        :FORWARD DROP [0:0]
        :OUTPUT ACCEPT [92:10960]
        -A INPUT -i lo -j ACCEPT
        -A INPUT -p esp -j ACCEPT
        -A INPUT -p ah -j ACCEPT
        -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        -A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
        -A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 6000 -j ACCEPT
        -A INPUT -s 1.1.1.48/29 -j ACCEPT
        -A INPUT -p tcp -m policy --dir in --pol ipsec -m tcp --dport 6000 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 3002 -j ACCEPT
        -A INPUT -p tcp -m tcp --dport 3014 -j ACCEPT
        -A FORWARD -s 1.1.1.52/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 102 --proto esp -j ACCEPT
        -A FORWARD -s 2.2.2.200/32 -d 1.1.1.52/32 -o eth0 -m policy --dir out --pol ipsec --reqid 102 --proto esp -j ACCEPT
        -A FORWARD -s 1.1.1.52/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
        -A FORWARD -s 2.2.2.200/32 -d 1.1.1.52/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
        -A FORWARD -s 1.1.1.50/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
        -A FORWARD -s 2.2.2.200/32 -d 1.1.1.50/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
        -A FORWARD -s 1.1.1.50/32 -d 2.2.2.200/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
        -A FORWARD -s 2.2.2.200/32 -d 1.1.1.50/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
        -A OUTPUT -o lo -j ACCEPT
        -A OUTPUT -o eth0 -p esp -j ACCEPT
        -A OUTPUT -o eth0 -p ah -j ACCEPT
        -A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
        -A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
        -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
        -A OUTPUT -p tcp -m tcp --sport 6000 -j ACCEPT
        -A OUTPUT -d 1.1.1.48/29 -j ACCEPT
        -A OUTPUT -p tcp -m policy --dir out --pol ipsec -m tcp --sport 6000 -j ACCEPT
        COMMIT
        # Completed on Fri May  4 13:15:58 2018
        # Generated by iptables-save v1.6.0 on Fri May  4 13:15:58 2018
        *nat
        :PREROUTING ACCEPT [15231:920394]
        :INPUT ACCEPT [368:21952]
        :OUTPUT ACCEPT [56:5926]
        :POSTROUTING ACCEPT [56:5926]
        COMMIT
        # Completed on Fri May  4 13:15:58 2018

Ive allowed strongswan to modify the firewall configuration, but what I think I am missing is a proper nat rule to ensure tunnel traffic responses go back out the tunnel. Please can someone tell me what I am doing wrong?

3
  • You need to look at the output of commands like ipsec auto status and ip xfrm policy
    – Gerrit
    Commented May 23, 2018 at 14:02
  • Ok. Any ideas what I should be looking out for?
    – Unpossible
    Commented May 23, 2018 at 14:18
  • Check for routing details. Also with route -n. Does your site-to-site tunnel use existing internal networks on both ends? ip xfrm policy should show in/fwd/out rules for your tunnel ends. Also watch out that your internal networks are not in the denied private ranges of strongswan.
    – Gerrit
    Commented May 23, 2018 at 14:58

0

You must log in to answer this question.

Browse other questions tagged .