[Swan] Advice on troubleshooting AWS VPC site-to-site VPN connection.
Scott Classen
sclassen at lbl.gov
Thu Oct 14 20:46:00 UTC 2021
OK Have moved to a machine running CentOS8 so I can use a newer Libreswan version (Linux Libreswan 4.3 (netkey) on 4.18.0-305.19.1.el8_4.x86_64).
I am also only bringing up a only single VPN tunnel for the time being since the right side (AWS) has two tunnel endpoints in different subnets. My current connection is:
conn conn-to-aws-1
leftid=xxx.xxx.85.19
left=xxx.xxx.85.19
leftsubnets=192.168.1.0/24,xxx.xxx.85.19/32
rightid=xxx.xxx.186.125
right=xxx.xxx.186.125
rightsubnets=xxx.xxx.63.92/30,10.0.1.0/24
authby=secret
ikev2=insist
#aggressive=no
ikelifetime=28800
lifetime=3600
rekey=yes
rekeyfuzz=100%
fragmentation=yes
replay-window=1024
dpddelay=30
dpdtimeout=120
mtu=1419
type=tunnel
auto=start
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
keyingtries=%forever
# ip xrfm policy
Returns a lot of seemingly important routing information like this:
src 10.0.1.0/24 dst 192.168.1.0/24
dir fwd priority 2084814 ptype main
tmpl src xxx.xxx.186.125 dst xxx.xxx.85.19
proto esp reqid 16393 mode tunnel
src 10.0.1.0/24 dst 192.168.1.0/24
dir in priority 2084814 ptype main
tmpl src xxx.xxx.186.125 dst xxx.xxx.85.19
proto esp reqid 16393 mode tunnel
Now I have an EC2 instance that is associated with my AWS VPC with a public and private IP address
Private: 10.0.1.252
Public: xxx.xxx.79.208
I can ping the public address no problem, but when I ping the private address the pings appear to go out as UDP-encap: ESP packets (I think?) but they return from the public address! See this tcpdump output:
# ping -c3 10.0.1.252
PING 10.0.1.252 (10.0.1.252) 56(84) bytes of data.
64 bytes from xxx.xxx.79.208: icmp_seq=1 ttl=240 time=3.44 ms
64 bytes from xxx.xxx.79.208: icmp_seq=2 ttl=240 time=5.13 ms
64 bytes from xxx.xxx.79.208: icmp_seq=3 ttl=240 time=3.46 ms
# tcpdump -ni enp2s0f0 udp port 500 or udp port 4500 or icmp
13:30:54.113295 IP xxx.xxx.85.19.ipsec-nat-t > 52.9.186.125.ipsec-nat-t: UDP-encap: ESP(spi=0xc9530708,seq=0x20), length 132
13:30:54.116788 IP xxx.xxx.79.208 > xxx.xxx.85.19: ICMP echo reply, id 56943, seq 1, length 64
13:30:55.114989 IP xxx.xxx.85.19.ipsec-nat-t > 52.9.186.125.ipsec-nat-t: UDP-encap: ESP(spi=0xc9530708,seq=0x21), length 132
13:30:55.118301 IP xxx.xxx.79.208 > xxx.xxx.85.19: ICMP echo reply, id 56943, seq 2, length 64
13:30:56.116497 IP xxx.xxx.85.19.ipsec-nat-t > 52.9.186.125.ipsec-nat-t: UDP-encap: ESP(spi=0xc9530708,seq=0x22), length 132
13:30:56.119892 IP xxx.xxx.79.208 > xxx.xxx.85.19: ICMP echo reply, id 56943, seq 3, length 64
Is this a Libreswan/routing problem or an AWS routing problem.
BTW I disabled firewalld while running these tests and IPsec verify seems happy.
Thanks,
Scott
More information about the Swan
mailing list