[Swan] LibreSwan VPN Established | No Data Passing Through
Nick Howitt
nick at howitts.co.uk
Fri Nov 18 17:42:19 EET 2022
On 18/11/2022 07:31, Kumar P S Udai wrote:
>
> Dear Libre Team
> I have been having a long pending problem with a VPN I am trying to
> establish between two CentOS 8 machines.
> One is at the HO establishing connection to three other branch offices,
> while all three are getting connected, at one branch office the public
> IP is not configured on the machine directly, but on an external
> vendor's router. Initially I had trouble establishing connection to
> this unit, but after a lot of reading and config change, the connection
> is getting established now, but I cannot ping or reach each other.
> Attaching the config details FYI please. Would appreciate any help from
> the community.
>
>
> Thank you, Best wishes
>
> Udai
>
> ----------------
>
> ON MACHINE PLUTO
>
> IP Configuration
>
> 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
> UP group default qlen 1000
> link/ether 10:e7:c6:30:79:0e brd ff:ff:ff:ff:ff:ff
> inet 192.168.14.129/24 <http://192.168.14.129/24> brd
> 192.168.14.255 scope global noprefixroute eno1
> valid_lft forever preferred_lft forever
> inet6 fe80::12e7:c6ff:fe30:790e/64 scope link noprefixroute
> valid_lft forever preferred_lft forever
>
> 3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
> state UP group default qlen 1000
> link/ether 68:05:ca:e9:bc:a2 brd ff:ff:ff:ff:ff:ff
> inet 10.10.128.100/24 <http://10.10.128.100/24> brd 10.10.128.255
> scope global noprefixroute enp1s0
> valid_lft forever preferred_lft forever
> inet6 fe80::6a05:caff:fee9:bca2/64 scope link noprefixroute
> valid_lft forever preferred_lft forever
>
>
> conn PLSUBNET
> also=PLUTO-EUROPA
> leftsubnet=192.168.14.0/24 <http://192.168.14.0/24>
> leftsourceip=192.168.14.129
> rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> rightsourceip=192.168.1.1
> auto=start
> conn PLUTO-EUROPA
> type=tunnel
> left=%defaultroute
> leftid=1.2.3.4 (This public IP is not configured on this machine PLUTO,
> but on an externally facing router)
> right=9.8.7.6 (This public IP is directly configured on the EUROPA machine)
> authby=secret
> ikev2=insist
> pfs=no
> ike=aes256-sha2_512+sha2_256-dh21
> esp=aes256-sha2_512+sha1+sha2_256;dh21
> dpddelay=5
> dpdtimeout=120
> dpdaction=restart
> encapsulation=yes
>
>
> 000 Connection list:
> 000
> 000 "PLSUBNET":
> 192.168.14.0/24===10.10.128.100[1.2.3.4]---10.10.128.1...9.8.7.6
> <http://192.168.14.0/24===10.10.128.100[1.2.3.4]---10.10.128.1...9.8.7.6><9.8.7.6>===192.168.1.0/24 <http://192.168.1.0/24>; erouted; eroute owner: #45
> 000 "PLSUBNET": oriented; my_ip=192.168.14.129;
> their_ip=192.168.1.1; my_updown=ipsec _updown;
> 000 "PLSUBNET": xauth us:none, xauth them:none, my_username=[any];
> their_username=[any]
> 000 "PLSUBNET": our auth:secret, their auth:secret
> 000 "PLSUBNET": modecfg info: us:none, them:none, modecfg policy:push,
> dns:unset, domains:unset, cat:unset;
> 000 "PLSUBNET": sec_label:unset;
> 000 "PLSUBNET": ike_life: 28800s; ipsec_life: 28800s; replay_window:
> 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> 000 "PLSUBNET": retransmit-interval: 500ms; retransmit-timeout: 60s;
> iketcp:no; iketcp-port:4500;
> 000 "PLSUBNET": initial-contact:no; cisco-unity:no;
> fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
> 000 "PLSUBNET": policy: IKEv2+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO;
> 000 "PLSUBNET": v2-auth-hash-policy: none;
> 000 "PLSUBNET": conn_prio: 24,24; interface: enp1s0; metric: 0; mtu:
> unset; sa_prio:auto; sa_tfc:none;
> 000 "PLSUBNET": nflog-group: unset; mark: unset; vti-iface:unset;
> vti-routing:no; vti-shared:no; nic-offload:auto;
> 000 "PLSUBNET": our idtype: ID_IPV4_ADDR; our id=1.2.3.4; their
> idtype: ID_IPV4_ADDR; their id=9.8.7.6
> 000 "PLSUBNET": dpd: action:restart; delay:5; timeout:120; nat-t:
> encaps:yes; nat_keepalive:yes; ikev1_natt:both
> 000 "PLSUBNET": newest ISAKMP SA: #44; newest IPsec SA: #45; conn
> serial: $1;
> 000 "PLSUBNET": IKE algorithms:
> AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH21
> 000 "PLSUBNET": IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21
> 000 "PLSUBNET": ESP algorithms:
> AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128
> 000 "PLSUBNET": ESP algorithm newest: AES_CBC_256-HMAC_SHA2_512_256;
> pfsgroup=<N/A>
> 000
> 000 Total IPsec connections: loaded 1, active 1
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE
> connections
> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
> 000 IPsec SAs: total(1), authenticated(1), anonymous(0)
> 000
> 000 #44: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE
> SA); EVENT_SA_REKEY in 9874s; newest ISAKMP; idle;
> 000 #45: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
> established); EVENT_SA_REKEY in 10446s; newest IPSEC; eroute owner;
> isakmp#44; idle;
> 000 #45: "PLSUBNET" esp.716c376b at 9.8.7.6 <mailto:esp.716c376b at 9.8.7.6>
> esp.fdc71b0a at 10.10.128.100 <mailto:esp.fdc71b0a at 10.10.128.100>
> tun.0 at 9.8.7.6 <mailto:tun.0 at 9.8.7.6> tun.0 at 10.10.128.100
> <mailto:tun.0 at 10.10.128.100> Traffic: ESPin=1KB ESPout=0B! ESPmax=0B
>
>
>
> ON MACHINE EUROPA
>
> IP Configuration
>
> 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
> UP group default qlen 1000
> link/ether 10:e7:c6:30:78:e9 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/24 <http://192.168.1.1/24> brd 192.168.1.255 scope
> global noprefixroute eno1
> valid_lft forever preferred_lft forever
> inet6 fe80::12e7:c6ff:fe30:78e9/64 scope link
> valid_lft forever preferred_lft forever
>
> 3: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
> state UP group default qlen 1000
> link/ether 00:1b:21:39:57:5f brd ff:ff:ff:ff:ff:ff
> inet 9.8.7.6/27 <http://9.8.7.6/27> brd 9.8.7.255 scope global
> noprefixroute enp1s0
> valid_lft forever preferred_lft forever
>
>
> conn PLUTOSUBNET
> also=EUROPA-PLUTO
> leftsubnet=192.168.14.0/24 <http://192.168.14.0/24>
> leftsourceip=192.168.14.129
> rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> rightsourceip=192.168.1.1
> auto=start
> conn EUROPA-PLUTO
> type=tunnel
> left=1.2.3.4
> right=9.8.7.6
> authby=secret
> ikev2=insist
> pfs=no
> ike=aes256-sha2_512+sha2_256-dh21
> esp=aes256-sha2_512+sha1+sha2_256;dh21
> dpddelay=5
> dpdtimeout=120
> dpdaction=restart
> encapsulation=yes
>
>
> 000 "PLUTOSUBNET": 192.168.1.0/24===9.8.7.6
> <http://192.168.1.0/24===9.8.7.6><9.8.7.6>...1.2.3.4<1.2.3.4>===192.168.14.0/24 <http://192.168.14.0/24>; erouted; eroute owner: #6276
> 000 "PLUTOSUBNET": oriented; my_ip=192.168.1.1;
> their_ip=192.168.14.129; my_updown=ipsec _updown;
> 000 "PLUTOSUBNET": xauth us:none, xauth them:none, my_username=[any];
> their_username=[any]
> 000 "PLUTOSUBNET": our auth:secret, their auth:secret
> 000 "PLUTOSUBNET": modecfg info: us:none, them:none, modecfg
> policy:push, dns:unset, domains:unset, cat:unset;
> 000 "PLUTOSUBNET": sec_label:unset;
> 000 "PLUTOSUBNET": ike_life: 28800s; ipsec_life: 28800s;
> replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> 000 "PLUTOSUBNET": retransmit-interval: 500ms; retransmit-timeout:
> 60s; iketcp:no; iketcp-port:4500;
> 000 "PLUTOSUBNET": initial-contact:no; cisco-unity:no;
> fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
> 000 "PLUTOSUBNET": policy:
> IKEv2+PSK+ENCRYPT+TUNNEL+UP+IKE_FRAG_ALLOW+ESN_NO;
> 000 "PLUTOSUBNET": v2-auth-hash-policy: none;
> 000 "PLUTOSUBNET": conn_prio: 24,24; interface: enp1s0; metric: 0;
> mtu: unset; sa_prio:auto; sa_tfc:none;
> 000 "PLUTOSUBNET": nflog-group: unset; mark: unset; vti-iface:unset;
> vti-routing:no; vti-shared:no; nic-offload:auto;
> 000 "PLUTOSUBNET": our idtype: ID_IPV4_ADDR; our id=9.8.7.6; their
> idtype: ID_IPV4_ADDR; their id=1.2.3.4
> 000 "PLUTOSUBNET": dpd: action:restart; delay:5; timeout:120; nat-t:
> encaps:yes; nat_keepalive:yes; ikev1_natt:both
> 000 "PLUTOSUBNET": newest ISAKMP SA: #6275; newest IPsec SA: #6276;
> conn serial: $4;
> 000 "PLUTOSUBNET": IKE algorithms:
> AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-DH21
> 000 "PLUTOSUBNET": IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_512-DH21
> 000 "PLUTOSUBNET": ESP algorithms:
> AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128
> 000 "PLUTOSUBNET": ESP algorithm newest:
> AES_CBC_256-HMAC_SHA2_512_256; pfsgroup=<N/A>
> 000
> 000 Total IPsec connections: loaded 3, active 3
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE
> connections
> 000 IKE SAs: total(3), half-open(0), open(0), authenticated(3), anonymous(0)
> 000 IPsec SAs: total(3), authenticated(3), anonymous(0)
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE
> connections
> 000 IKE SAs: total(3), half-open(0), open(0), authenticated(3), anonymous(0)
> 000 IPsec SAs: total(3), authenticated(3), anonymous(0)
> 000
> 000 #6275: "PLUTOSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established
> IKE SA); EVENT_SA_REKEY in 8486s; newest ISAKMP; idle;
> 000 #6276: "PLUTOSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA
> established); EVENT_SA_REKEY in 8662s; newest IPSEC; eroute owner;
> isakmp#6275; idle;
> 000 #6276: "PLUTOSUBNET" esp.fdc71b0a at 1.2.3.4
> <mailto:esp.fdc71b0a at 1.2.3.4> esp.716c376b at 9.8.7.6
> <mailto:esp.716c376b at 9.8.7.6> tun.0 at 1.2.3.4 <mailto:tun.0 at 1.2.3.4>
> tun.0 at 9.8.7.6 <mailto:tun.0 at 9.8.7.6> Traffic: ESPin=0B ESPout=1KB!
> ESPmax=0B
> 000
What firewall rules have you put in place? See
https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working, but I don't
know the firewall-cmd equivalent.
Btw, once you have switched to ikev2 your left/rightid can be anything
you want as long as they agree. It is probably easier not to mess around
with IP addresses and just set them to something like @EUROPA and
@PLUTO. This is especially useful if you have a DDNS, but can also
simplify a fixed IP set up.
Nick
More information about the Swan
mailing list