I am using Strongswan to connect to a CISCO ASA Firewall through the VPN.
My IPSEC status request looks as following:
root@ip-172-31-90-211:~# ipsec status
Security Associations (1 up, 0 connecting):
connection-to-vodacom[1]: ESTABLISHED 6 minutes ago, 172.31.90.211[172.31.90.211]...197.235.1.30[197.235.1.30]
connection-to-vodacom{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c9fee5f5_i 5a07752a_o
connection-to-vodacom{1}: 172.31.90.211/32 === 10.201.0.0/16
root@ip-172-31-90-211:~#
My IPSEC configuration file can be found below:
config setup
charondebug="all"
uniqueids=no
conn connection-to-vodacom
type=tunnel
auto=start
# keyexchange=ikev1
authby=secret
# left=%defaultroute
left=%any
leftsubnet=172.31.90.211/32
right=197.235.1.30
rightsubnet=10.201.0.0/16
keyexchange=ikev1
ike=aes256-sha1-modp1536!
esp=aes256-sha1!
aggressive=yes
keyingtries=%forever
ikelifetime=86400s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
The ip xfrm policy command returns the following:
oot@ip-172-31-90-211:~# ip xfrm policy
src 172.31.90.211/32 dst 10.201.0.0/16
dir out priority 375423
tmpl src 172.31.90.211 dst 197.235.1.30
proto esp spi 0x5a07752a reqid 1 mode tunnel
src 10.201.0.0/16 dst 172.31.90.211/32
dir fwd priority 375423
tmpl src 197.235.1.30 dst 172.31.90.211
proto esp reqid 1 mode tunnel
src 10.201.0.0/16 dst 172.31.90.211/32
dir in priority 375423
tmpl src 197.235.1.30 dst 172.31.90.211
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
Although when i try to ping one of the hosts on the other side of the VPN i get no response, and i can't even see the pings with TSHARK:
root@ip-172-31-90-211:~# ping 10.201.47.102
PING 10.201.47.102 (10.201.47.102) 56(84) bytes of data.
^C
--- 10.201.47.102 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1017ms
And i have the following NAT rules installed:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir out pol ipsec
ACCEPT all -- ip-10-201-0-0.ec2.internal/16 anywhere policy match dir out pol ipsec
When i try to check the outgoing icmp packets i only manage to see them when the vpn is down when i bring up the vpn i can no longer see the outgoing packets.
Another thing that we manage to notice is that the packets from our server to the VPN leave our server but no packets come back:
125 86.912011656 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
126 87.039966429 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
127 87.936001348 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
128 88.063989799 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
129 88.960012350 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
130 89.088001291 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
131 89.984013008 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
132 90.111999146 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
133 90.221484963 197.235.1.30 → 172.31.90.211 UDPENCAP 43 NAT-keepalive
134 91.008014628 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
135 91.135994428 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
136 92.032010593 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
137 92.159977535 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
138 93.056014269 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
139 93.183986406 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
Please help
