Join Log in
Score:0
Carlo Mencarelli avatar Server

No Route To Host With StrongSwan Tunnel Interface

in flag
Carlo Mencarelli

I'm using Ubuntu 20.04 with Strongswan 5.8.2. Configured using the Route-Based VPN instructions.

The site-to-site tunnel establishes and is stable, however, I can't route traffic over it. When I try to ping, ssh, curl I get a "No route to host" error. I can see the traffic in a TCPDump over my VTI interface.

I created my tunnel using the above instructions:

ip tunnel add vti0 local 10.50.1.25 remote 100.100.100.100 mode vti key 50
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.0.0.0/12 dev vti0

Additionally, I disabled install_routes in the charon config.

Routing outside of the VTI0 interface works fine.

Other details/output:

$ ssh [email protected]
ssh: connect to host 10.1.2.3 port 22: No route to host

$ ip route list
default via 10.50.1.1 dev ens5 proto dhcp src 10.50.1.25 metric 50
10.0.0.0/12 dev vti0 scope link
10.50.1.0/20 dev ens5 proto kernel scope link src 10.50.1.25
10.50.1.1 dev ens5 proto dhcp scope link src 10.50.1.25 metric 50

$ ip route get 10.1.2.3
10.1.2.3 dev vti0 src 10.50.1.25 uid 0
    cache

$ ip link
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether AB:AB:AB:AB:AB:AB brd ff:ff:ff:ff:ff:ff
6: vti0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ipip 10.50.1.25 peer 100.100.100.100

Additional for ipsec status and iptables:

$ ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.15.0-1022-aws, x86_64):
  uptime: 29 seconds, since Oct 20 14:17:36 2022
  malloc: sbrk 2568192, mmap 0, used 786720, free 1781472
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  10.50.1.1
Connections:
near-to-far:  %any...100.100.100.100  IKEv1, dpddelay=30s
near-to-far:   local:  [50.50.50.50] uses pre-shared key authentication
near-to-far:   remote: [100.100.100.100] uses pre-shared key authentication
near-to-far:   child:  0.0.0.0/32 === 10.0.0.0/12 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
near-to-far[1]: ESTABLISHED 29 seconds ago, 10.50.1.1[50.50.50.50]...100.100.100.100[100.100.100.100]
near-to-far[1]: IKEv1 SPIs: c371e91e6240fdd9_i* 7ce8c9676a22e5d5_r, pre-shared key reauthentication in 23 hours
near-to-far[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
near-to-far{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1e35cb4_i 11cb0bbe_o
near-to-far{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
near-to-far{1}:   0.0.0.0/32 === 10.0.0.0/12

$ iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             ip-10-0-0-0.us-west-2.compute.internal/12

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere             to:50.50.50.50
ACCEPT     all  --  ip-10-50-1-0.us-west-2.compute.internal/20  anywhere             policy match dir out pol ipsec
MASQUERADE  all  --  ip-10-0-0-0.us-west-2.compute.internal/12  ip-10-50-1-0.us-west-2.compute.internal/23
572
0 + 3
cn flag
ecdsa
I think you need to provide more information e.g. about the negotiated IPsec SAs (e.g. status output of strongSwan), the firewall rules (e.g.. `iptables-save`) etc.
0
Reply
Carlo Mencarelli avatar
in flag
Carlo Mencarelli
I included the output from `iptables` and `ipsec status all`. If there's something more needed, glad to add it.
0
Reply
cn flag
ecdsa
First, your local traffic selector, `0.0.0.0/32`, is wrong. It should probably be `0.0.0.0/0` (or a more specific subnet you want to tunnel). Second, that `SNAT` rule could also be a problem (unless the goal is to actually NAT traffic before tunneling it).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.