Join Log in
Score:0
clam37 avatar Server

Traffic not tunneled/forwarded using StrongSwan

ar flag
clam37

Description

I am new to strongswan and I like to set strongswan in a road warrior configuration.

My moon network is an AWS VPC with CIDR block 172.31.0.0/16 Inside that network, my VPN gateway is an EC2 instance located on a public subnet with a public IP X.X.X.X

On the moon network I have an HTTP server with IP 172.31.X.X listening for requests on port 80.

My carol host is also an EC2 instance located in another VPC with CIDR 10.0.0.0/16. The carol host is also in a public subnet with a public IP Y.Y.Y.Y

I like to my carol host to submit HTTP request to my HTTP server in the moon network.

I can load and initiate, the logs show successful messages in both server and client.

Nevertheless when I run curl 172.31.X.X from the carol host. The command hangs. I try to capture packets on the carol host with tcpdump but absolutely nothing shows up. So I guess no traffic egress from carol host (same thing happen when using ping -I).

Issue

Why the traffic does not seems to egress the client (carol host) ?

How to verify that strongswan can forward/tunnel the traffic from carol host to the HTTP server ?

Technical configuration

machine

EC2 intances (managed by Cloud9) running AmazonLinux 2. Security Group have been check and ingress rules are permissive enough.

StrongSwan

StrongSwan version 5.9.5 for both client and server installed from source using

./configure --prefix=/usr --sysconfdir=/etc 
make
sudo make install

carol configuration

connections {
    home {
      remote_addrs = X.X.X.X
      local {
        auth = pubkey
          certs = carolCert.pem
          id = carol@strongswan.org
        }
      remote {
        auth = pubkey
        id = moon.strongswan.org
      }
      children {
        home {
          remote_ts  = 172.31.0.0/16
          start_action = start
        }
      }
    }
  }

moon configuration

connections {
    rw {
      local {
        auth = pubkey
        certs = moonCert.pem
        id = moon.strongswan.org
      }
      remote {
        auth = pubkey
      }
      children {
        rw {
          local_ts  = 172.31.0.0/16
          remote_ts = 10.0.0.0/16
        }
      }
    }
}

Output of sudo swanctl --initiate --child home from carol

[IKE] establishing CHILD_SA home{3}
[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
[NET] sending packet: from 10.0.22.27[4500] to X.X.X.X[4500] (304 bytes)
[NET] received packet: from X.X.X.X[4500] to  10.0.22.27[4500] (192 bytes)
[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
[CFG] selected proposal: ESP:AES_GCM_16_128
[IKE] CHILD_SA home{3} established with SPIs z9777de6_i z67c5f90_o and TS 10.0.22.27/32 === 172.31.0.0/16
initiate completed successfully

IP table on carol host :

Admin:~/environment $ sudo ip route show table 220                                                                                                                                                                                  
172.31.0.0/16 via 10.0.16.1 dev eth0 proto static src 10.0.22.27
13
0 + 0
vpn
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.