I want to hide my local hosted server behind a public VPS. So i established a VPN between my local firewall(fortinet) and my vps(strongswan). Diagram
The VPN is up but no traffic at all. Even in tcpdump i can't see any traffic coming from the tunnel in both directions.
VPS:
- 92.x.x.x on ens6 (srv1.domain.net)
- 10.200.0.25/29 on ens6:1 (alias IP on Networkdevice with "ip addr add")
Home:
- dynamic IP -> 82.x.x.x on wan1 (home.domain.net)
- 10.1.0.0/20
VPS
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 93.x.x.1 0.0.0.0 UG 100 0 0 ens6
10.200.0.24 0.0.0.0 255.255.255.248 U 0 0 0 ens6
93.x.x.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens6
ipsec.conf
lifetime=3600s
ikelifetime=3h
keyingtries=3
keyexchange=ikev2
authby=secret
type=tunnel
auto=start
mobike=no
ike=aes128-aes256-sha256-sha384-x25519!
esp=aes128gcm16-aes256gcm16-x25519!
leftsubnet=10.200.0.24/29
left=92.x.x.x
conn home
right=home.domain.net
rightsubnet=10.1.0.0/20
root@ubuntu:~# ipsec status
Security Associations (1 up, 0 connecting):
home[1]: ESTABLISHED 93 minutes ago, 93.x.x.x[srv1.domain.net]...88.x.x.x[home.domain.net]
home{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c1fc6d50_i c502a2f6_o
home{3}: 10.200.0.24/29 === 10.1.0.0/20
root@ubuntu:~# ip xfrm state
src 93.x.x.x dst 82.x.x.x
proto esp spi 0xc502a2f6 reqid 1 mode tunnel
replay-window 0 flag af-unspec
aead rfc4106(gcm(aes)) 0xxxxxxx 128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 82.x.x.x dst 93.x.x.x
proto esp spi 0xc1fc6d50 reqid 1 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xxxxxxx 128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
Ping from 10.1.2.77 to 10.200.0.25
Firewall Fortigate
fw # diagnose sniffer packet "S2S-srv1" none 4
interfaces=[S2S-srv1]
filters=[none]
pcap_lookupnet: S2S-srv1: no IPv4 address assigned
4.900617 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
9.866557 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
14.866824 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
19.867489 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
VPS
root@ubuntu:~# tcpdump -v -n -i any port not 22 and not port 53
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
[empty]
Ping from VPS to 10.1.1.1
Firewall Fortigate
fw # diagnose sniffer packet "S2S-srv1" none 4
interfaces=[S2S-srv1]
filters=[none]
pcap_lookupnet: S2S-srv1: no IPv4 address assigned
[empty]
VPS
root@ubuntu:~# tcpdump -v -n -i any port not 22
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:09:47.663917 ens6 Out IP (tos 0x0, ttl 64, id 34394, offset 0, flags [DF], proto ESP (50), length 140)
93.x.x.x > 88.x.x.x: ESP(spi=0xc502a2f6,seq=0x5), length 120
13:09:48.688043 ens6 Out IP (tos 0x0, ttl 64, id 34532, offset 0, flags [DF], proto ESP (50), length 140)
93.x.x.x > 88.x.x.x: ESP(spi=0xc502a2f6,seq=0x6), length 120
Ping from VPS 10.200.0.25 to 10.1.1.1
Firewall Fortigate
fw # diagnose sniffer packet "S2S-srv1" none 4
interfaces=[S2S-srv1]
filters=[none]
pcap_lookupnet: S2S-srv1: no IPv4 address assigned
[empty]
VPS
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:14:48.239905 lo In IP (tos 0x0, ttl 64, id 45593, offset 0, flags [DF], proto ICMP (1), length 92, options (NOP,LSRR 10.1.1.1))
10.200.0.25 > 10.200.0.25: ICMP echo request, id 15, seq 26, length 64
13:14:49.263958 lo In IP (tos 0x0, ttl 64, id 45646, offset 0, flags [DF], proto ICMP (1), length 92, options (NOP,LSRR 10.1.1.1))
10.200.0.25 > 10.200.0.25: ICMP echo request, id 15, seq 27, length 64
I believe i need to set some iptables rules....Anybody any hint?
