I'm using Ubuntu 20.04 with Strongswan 5.8.2. Configured using the Route-Based VPN instructions.
The site-to-site tunnel establishes and is stable, however, I can't route traffic over it. When I try to ping, ssh, curl I get a "No route to host" error. I can see the traffic in a TCPDump over my VTI interface.
I created my tunnel using the above instructions:
ip tunnel add vti0 local 10.50.1.25 remote 100.100.100.100 mode vti key 50
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.0.0.0/12 dev vti0
Additionally, I disabled install_routes in the charon config.
Routing outside of the VTI0 interface works fine.
Other details/output:
$ ssh user@10.1.2.3
ssh: connect to host 10.1.2.3 port 22: No route to host
$ ip route list
default via 10.50.1.1 dev ens5 proto dhcp src 10.50.1.25 metric 50
10.0.0.0/12 dev vti0 scope link
10.50.1.0/20 dev ens5 proto kernel scope link src 10.50.1.25
10.50.1.1 dev ens5 proto dhcp scope link src 10.50.1.25 metric 50
$ ip route get 10.1.2.3
10.1.2.3 dev vti0 src 10.50.1.25 uid 0
cache
$ ip link
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether AB:AB:AB:AB:AB:AB brd ff:ff:ff:ff:ff:ff
6: vti0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ipip 10.50.1.25 peer 100.100.100.100
Additional for ipsec status and iptables:
$ ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.15.0-1022-aws, x86_64):
uptime: 29 seconds, since Oct 20 14:17:36 2022
malloc: sbrk 2568192, mmap 0, used 786720, free 1781472
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.50.1.1
Connections:
near-to-far: %any...100.100.100.100 IKEv1, dpddelay=30s
near-to-far: local: [50.50.50.50] uses pre-shared key authentication
near-to-far: remote: [100.100.100.100] uses pre-shared key authentication
near-to-far: child: 0.0.0.0/32 === 10.0.0.0/12 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
near-to-far[1]: ESTABLISHED 29 seconds ago, 10.50.1.1[50.50.50.50]...100.100.100.100[100.100.100.100]
near-to-far[1]: IKEv1 SPIs: c371e91e6240fdd9_i* 7ce8c9676a22e5d5_r, pre-shared key reauthentication in 23 hours
near-to-far[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
near-to-far{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1e35cb4_i 11cb0bbe_o
near-to-far{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
near-to-far{1}: 0.0.0.0/32 === 10.0.0.0/12
$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere ip-10-0-0-0.us-west-2.compute.internal/12
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:50.50.50.50
ACCEPT all -- ip-10-50-1-0.us-west-2.compute.internal/20 anywhere policy match dir out pol ipsec
MASQUERADE all -- ip-10-0-0-0.us-west-2.compute.internal/12 ip-10-50-1-0.us-west-2.compute.internal/23
