Вопросы Теги

Strongswan site-to-site VPN connected/established but can't ping servers on remote subnet

I've been trying to resolve a site to site VPN issue for days. I am connecting to a corporate VPN that I do not have control over or access to the settings of. I am running a Digitalocean VPS (not sure if DO specific infrastucture plays a role here) running Ubuntu 16.04 & using Strongswan 5.3.5

I have gone as far as getting what appears to be a successful connection to the VPN confirmed by the network engineer on that end. They can't see any traffic from me & I can't get ping replies from servers on their subnet.

Please help. Not a networking pro, you're welcome (and encouraged) to explain to me like I'm 5. I don't have additional servers to the VPS with Strongswan installed. I need to communicate to the Corporate Servers from the same VPS

ME (VPS) <<<>>> internet <<<>>> CORPORATE VPN <<<>>> CORP SERVERS

138.xx.xx.xx  <> internet   <>  41.yy.yy.yy     <>   172.zz.zz.zz

All info below is taken while VPN tunnel is up.

ipsec statusall

$: ipsec statusall

Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-96-generic, x86_64):
  uptime: 20 minutes, since Sep 28 10:30:07 2017
  malloc: sbrk 1634304, mmap 0, used 582896, free 1051408
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  138.xx.xx.xx
  10.16.0.5
Connections:
    my-conn:  138.xx.xx.xx...41.yy.yy.yy  IKEv2
    my-conn:   local:  [138.xx.xx.xx] uses pre-shared key authentication
    my-conn:   remote: [41.yy.yy.yy] uses pre-shared key authentication
    my-conn:   child:  138.xx.xx.xx/32 === 172.zz.zz.zz/24 TUNNEL
Security Associations (1 up, 0 connecting):
    my-conn[1]: ESTABLISHED 20 minutes ago, 138.xx.xx.xx[138.xx.xx.xx]...41.yy.yy.yy[41.yy.yy.yy]
    my-conn[1]: IKEv2 SPIs: 981bda0c250576ed_i 890fb1ffd688230e_r*, pre-shared key reauthentication in 7 hours
    my-conn[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    my-conn{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: dbb4f9b1_i 0d49761f_o
    my-conn{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 252 bytes_o (3 pkts, 1197s ago), rekeying in 23 hours
    my-conn{1}:   138.xx.xx.xx/32 === 172.ww.ww.ww/32
    my-conn{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 6e95fb25_i 09e475d6_o
    my-conn{2}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
    my-conn{2}:   138.xx.xx.xx/32 === 172.ww.ww.zz/32

contents of ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup
  cachecrls=yes
  uniqueids=yes
  nat_traversal=yes

conn %default
  ikelifetime=28800s
  lifetime=1440m
  margintime=3m
  keyingtries=2
  authby=secret
  keyexchange=ikev2

conn my-conn
  type=tunnel
  left=138.xx.xx.xx
  leftsubnet=138.xx.xx.xx
  #leftfirewall=yes
  right=41.yy.yy.yy
  rightsubnet=172.zz.zz.zz/24
  ike=aes256-sha256-modp1536
  esp=aes256-sha256-modp1536
  auto=add
  #rightsourceip=172.ww.ww.yy,172.ww.ww.zz

contents of iptables-save

# Generated by iptables-save v1.6.0 on Wed Sep 27 14:36:20 2017
*mangle
:PREROUTING ACCEPT [11416:1336562]
:INPUT ACCEPT [11416:1336562]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12308:1948095]
:POSTROUTING ACCEPT [12308:1948095]
COMMIT
# Completed on Wed Sep 27 14:36:20 2017
# Generated by iptables-save v1.6.0 on Wed Sep 27 14:36:20 2017
*nat
:PREROUTING ACCEPT [4:200]
:INPUT ACCEPT [2:120]
:OUTPUT ACCEPT [4:266]
:POSTROUTING ACCEPT [4:266]
-A POSTROUTING -s 10.16.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.16.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 27 14:36:20 2017
# Generated by iptables-save v1.6.0 on Wed Sep 27 14:36:20 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11109:1768005]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A INPUT -p esp -j ACCEPT
COMMIT

iproute show

$: ip route show
default via 138.xx.xx.xx dev eth0 onlink 
10.16.0.0/16 dev eth0  proto kernel  scope link  src 10.16.0.5 
138.xx.xx.xx/20 dev eth0  proto kernel  scope link  src 138.xx.xx.xx

ifconfig 

$: ifconfig 
eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:138.xx.xx.xx  Bcast:138.xx.xx.255  Mask:255.255.xx.0
          inet6 addr: fe80::78ab:64ff:fee9:a6a5/64 Scope:Link
          inet6 addr: XXXX::XXXX:XXXX:XXXX:XXXX/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:91775 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100307 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14598431 (14.5 MB)  TX bytes:23615037 (23.6 MB)

ipsec0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:12670 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12670 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:722578 (722.5 KB)  TX bytes:722578 (722.5 KB)

ip route show

$: ip route show table 220
172.zz.zz.yy dev ipsec0  proto static  src 138.xx.xx.xx
0
задан 28 September 2017 в 13:26
2 ответа

Судя по тому, что я вижу, вы подключены, но либо кодировка неправильная, либо ключ настроен неправильно. Для получения дополнительной информации поделитесь файлом ipsec.secrets.

А пока попробуйте это в вашем ipsec.conf, попробуйте следующее: 

conn my-conn
    aggressive=no
    authby=secret
    auto=start     
    esp=3des-sha1-modp1024
    ike=3des-sha1-modp1024
    ikelifetime=28800s
    keyexchange=ike
    rightid=41.yy.yy.yy
    leftid=46.101.81.172 
    left=138.xx.xx.xx
    right=41.yy.yy.yy
    rightsubnet=72.zz.zz.0/24

Левая подсеть не важна .. проверьте кодировку. Я предложил 

esp=3des-sha1-modp1024
ike=3des-sha1-modp1024

вместо; 

ike=aes256-sha256-modp1536
esp=aes256-sha256-modp1536

Это рекомендовано на основе личного сообщения, которое вы мне отправили.

Ура!

0
ответ дан 5 December 2019 в 07:25

Подозреваю, что вам не хватает net.ipv4.ip_forward = 1 из /etc/sysctl.conf

Это можно установить навсегда в /etc/sysctl.conf, а затем запустить sysctl -p , чтобы обновить текущее значение.

Или, чтобы временно установить его, запустите sysctl -w net.ipv4.ip_forward = 1

0
ответ дан 5 December 2019 в 07:25

Теги

Похожие вопросы