Join Log in
Score:1
avatar Server

strongswan site2site connection alive, but no traffic flow

cn flag
flypenguin

i followed a couple of tutorials to set up a strongswan site-2-site vpn, and i got stuck ... .

that's the situation:

SITE A                     <------->     SITE B
AWS VPN GATEWAY                          STRONGSWAN
HOST 1                                   HOST 2 (Strongswan host, also EC2)
  • I can ping host 2 from hots 1, but there is no answer going out (tcpdump on host 2). 
    00:30:46.360533 eth0  In  IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 599, length 64
00:30:47.384644 eth0  In  IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 600, length 64
00:30:48.408526 eth0  In  IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 601, length 64
... etc.
  • I see borked pings on host 1 from host 2. 
    00:36:41.881802 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 297
00:36:41.881891 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 60
00:36:41.893326 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 60

can anybody help? that would be greatly appreciated.

here's my strongswan config:

config setup
    charondebug="all"
    uniqueids=yes
    # from generated AWS config
    strictcrlpolicy=no

conn customer
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret

    ike=aes256-sha2_512-ecp256
    esp=aes256-sha2_512-ecp256
    aggressive=no
    keyingtries=%forever
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

    # PUBLIC network interfaces, "left" is "us"
    left=%defaultroute
    right=CENSORED # public IP

    # PRIVATE subnets
    leftsubnet=10.250.9.0/28
    rightsubnet=10.250.10.0/28

    # settings taken from AWS generated config
    margintime=270s
    rekey=yes
    rekeyfuzz=100%
    fragmentation=yes
    replay_window=1024

    mark=100

and here's ipsec statusall

Connections:
customer:  %any...XXXX  IKEv2, dpddelay=30s
customer:   local:  uses pre-shared key authentication
customer:   remote: [XXXX] uses pre-shared key authentication
customer:   child:  10.250.9.0/28 === 10.250.10.0/28 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
customer[3]: ESTABLISHED 21 minutes ago, 10.250.9.5[EEEE]...XXXX[XXXX]
customer[3]: IKEv2 SPIs: aca26c16528c6023_i b8d244b9ba20a4ba_r*, pre-shared key reauthentication in 7 hours
customer[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
customer{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2e749c9_i ccd2a33d_o
customer{3}:  AES_CBC_256/HMAC_SHA2_512_256, 51072 bytes_i, 3108 bytes_o (37 pkts, 198s ago), rekeying in 29 minutes
customer{3}:   10.250.9.0/28 === 10.250.10.0/28

XXXX / EEEE - public IP addresses of the VPN gateways

finally, ipsec reload ; journalctl -f

Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 06[CFG] deleted connection 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 08[CFG] received stroke: add connection 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 08[CFG] added configuration 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[CFG] received stroke: initiate 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[IKE] establishing CHILD_SA customer{4}
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[IKE] establishing CHILD_SA customer{4}
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[ENC] generating CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[NET] sending packet: from 10.250.9.5[4500] to XXXX[4500] (448 bytes)
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[NET] received packet: from XXXX[4500] to 10.250.9.5[4500] (304 bytes)
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[ENC] parsed CREATE_CHILD_SA response 0 [ SA No KE TSi TSr ]
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/ECP_256/NO_EXT_SEQ
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[IKE] CHILD_SA customer{4} established with SPIs c66eb670_i cb56dea4_o and TS 10.250.9.0/28 === 10.250.10.0/28
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[IKE] CHILD_SA customer{4} established with SPIs c66eb670_i cb56dea4_o and TS 10.250.9.0/28 === 10.250.10.0/28
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[NET] received packet: from XXXX[4500] to 10.250.9.5[4500] (96 bytes)
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[ENC] parsed INFORMATIONAL request 142 [ ]
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[ENC] generating INFORMATIONAL response 142 [ ]
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[NET] sending packet: from 10.250.9.5[4500] to XXXX[4500] (96 bytes)
96
0 + 2
vpn
Ginnungagap avatar
gu flag
Ginnungagap
Can you add the AWS VPN gateway configuration to the question? This looks a lot like an issue with traffic selectors and/or routing on the AWS gateway.
0
Reply
cn flag
flypenguin
hi @Ginnungagap, sorry for not responding. as far as i remember - it was not. i went away from strongswan, which solved the issue. very unsatisfying result though, but results were more important in _that_ scenario than actually understanding strongswan config.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.