• 7
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Strongswan RA and Strongswan site-2-site with ASA

Task: Establish communication between remote clients (192.168.79.0/24) that are connecting to VPN server (on Ubuntu) and corporate network (10.1.2.0/24) connected to Cisco ASA.

Schema: 192.168.79.0/24 <-Strongswan RA-> Ubuntu srv <-Strongswan s2s-> ASA (10.1.2.0/24)

Issue 1. Clients don't receive route from VPN server. But Strongswan sends it. "Use default gateway on remote network" is unchecked.

Mar 11 17:41:20 ubuntuSrv charon: 07[IKE] CHILD_SA ASA{1} established with SPIs ccdbd590_i 7cf6b605_o and TS 192.168.79.0/24 === 10.1.2.0/24

Issue 2. Traffic goes from 192.168.79.10 to 10.1.2.85, but not in vise versa. "Use default gateway on remote network" is temporarily checked and clients connect to VPN with default route.

Ubuntu srv Strongswan config

cat /etc/ipsec.conf 
config setup
        # uniqueids=never
        charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        keyexchange=ikev2
        ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp409$
        esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes1$
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftcert=vpnHostCert.pem
        right=%any
        rightdns=8.8.8.8,8.8.4.4

conn win7
        keyexchange=ikev2
        auto=add
        rightsourceip=192.168.79.10
        rightid="C=CH, O=strongSwan, CN=win7"
        leftsubnet=10.1.2.0/24

conn win8
        keyexchange=ikev2
        auto=add
        rightsourceip=192.168.79.11
        rightid="C=CH, O=strongSwan, CN=win8"
        leftsubnet=10.1.2.0/24

conn ASA
        authby=secret
        keyexchange=ikev1
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        left=1.1.1.78
        leftsubnet=192.168.79.0/24
        leftid=1.1.1.78
        leftfirewall=yes
        right=1.1.1.72
        rightsubnet=10.1.2.0/24
        rightid=1.1.1.72
        auto=start
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024

Ubuntu ipsec status and route print

root@ubuntuSrv:/etc/ipsec.d# ipsec status
Security Associations (2 up, 0 connecting):
        win7[2]: ESTABLISHED 7 minutes ago, 1.1.1.78[C=CH, O=strongSwan, CN=1.1.1.78]...2.2.2.238[C=CH, O=strongSwan, CN=win7]
        win7{2}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c9696f69_i ce82f3bc_o
        win7{2}:   10.1.2.0/24 === 192.168.79.10/32 
         ASA[1]: ESTABLISHED 7 minutes ago, 1.1.1.78[1.1.1.78]...1.1.1.72[1.1.1.72]
         ASA{1}:  INSTALLED, TUNNEL, ESP SPIs: ccdbd590_i 7cf6b605_o
         ASA{1}:   192.168.79.0/24 === 10.1.2.0/24 

root@ubuntuSrv:/etc/ipsec.d# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         1.1.1.1     0.0.0.0         UG    0      0        0 eth0
1.1.1.0     *               255.255.255.0   U     0      0        0 eth0

ASA crypto ipsec sa

 sh crypto ipsec sa peer 1.1.1.78
peer address: 1.1.1.78
    Crypto map tag: outside4_map, seq num: 9, local addr: 1.1.1.72

      access-list acl extended permit ip 10.1.2.0 255.255.255.0 192.168.79.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.79.0/255.255.255.0/0/0)
      current_peer: 1.1.1.78


      #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0

From each side I made 8 icmp requests. It seems traffic is lost on Ubuntu side.

UPDATE: ubuntu srv receives packets but doesn't send them back.

tcpdump -pni eth0
16:51:22.073543 IP 10.1.2.95 > 192.168.79.10: ICMP echo request, id 512, seq 3584, length 40
16:51:22.073633 IP 10.1.2.95 > 192.168.79.10: ICMP echo request, id 512, seq 3584, length 40
      • 1
    • I removed RA config and added interface eth1 with IP 192.168.79.1 and ping goes to both sides. I guess that issue 2 goes from issue 1. When client connects to VPN, routes are not send both to client and to VPN server somehow. I know that ipsec status shows networks, but I have no other explanation.

I suspect your problem is not with Strongswan but with your firewall rules. If your Ubuntu box is acting as the firewall and you have clients behind it, the nat rule will try to handle traffic to your corporate network.

Normally, the following nat rule will masquerade internet traffic:

Chain POSTROUTING (policy ACCEPT 757K packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination
  93M 6869M MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

But this will also masq the traffic for the vpn. Adding a rule before the masquerade rule for ipsec traffic will fix the problem:

iptables -A POSTROUTING -o eth1 -m policy --dir out --pol ipsec -j ACCEPT

So the iptables -t nat -L -v -n should look like:

Chain POSTROUTING (policy ACCEPT 757K packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination
  343 16028 ACCEPT      all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec
  93M 6869M MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags