Site sur Site Ipsec VPN – Tunnel est en cours mais ne peut pas parcourir les packages de gauche à droite

J'ai un tunnel de travail. Les packages sont apathés de droite à gauche correctement (le côté Cisco peut atteindre mon server).

Voici toutes les informations. Toute aide, plus que bienvenue.

Diagramme réseau

+-----------------------+ | machine #1 | +-----------------------------+ | | | Strongswan ipsec client | +--------------+ +--------------+ /---| eth0 192.168.100.88 | | Ubuntu 14.04 - aws ec2 |---| aws gw |-----------| CISCO ASA |---- +-----------------------+ | |---| AAAA |-----------| BBBB |--- +-----------------------+ | eth0 172.31.9.78 | +--------------+ +--------------+ \--- | machine #2 | +-----------------------------+ | | | eth0 192.168.100.91 | +-----------------------+ 

Je n'ai besoin que d'access depuis / vers le même hôte qui compose le tunnel.

Configuration Ipsec

Ipsec Specific

 root@ip-172-31-9-78:/home/ubuntu# cat /etc/ipsec.conf # /etc/ipsec.conf - Openswan IPsec configuration file version 2.0 # conforms to second version of ipsec.conf specification config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:192.168.0.0/16 oe=off protostack=netkey plutostderrlog=/tmp/pluto.log include /etc/ipsec.d/*.conf 

Tunnel

 root@ip-172-31-9-78:/home/ubuntu# cat /etc/ipsec.d/test.conf conn test type=tunnel keyexchange=ike auto=start # ours/theirs left=%defaultroute leftid=AAAA leftsourceip=172.31.9.78 leftnexthop=%defaultroute leftsubnets={172.31.9.78/32,} right=BBBB rightsubnets={192.168.100.88/32,192.168.100.91/32,} rightnexthop=%defaultroute #phase1 aggrmode=no ike="3des-sha1;modp1024!" ikelifetime=86400s authby=secret #phase2 keylife=3600s phase2=esp phase2alg="3des-md5;modp1024" pfs=no 

Statut Ipsec

 root@ip-172-31-9-78:/home/ubuntu# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 172.31.9.78 000 interface eth0/eth0 172.31.9.78 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 1 subnet: 192.168.0.0/16 000 - disallowed 0 subnets: 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 000 private address space in internal use, it should be excluded! 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,3072} attrs={0,4,2048} 000 000 "test/1x1": 172.31.9.78/32===172.31.9.78[AAAA]---172.31.0.1...172.31.0.1---BBBB<BBBB>===192.168.100.88/32; erouted; eroute owner: #2 000 "test/1x1": myip=172.31.9.78; hisip=unset; 000 "test/1x1": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingsortinges: 0 000 "test/1x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0; 000 "test/1x1": newest ISAKMP SA: #0; newest IPsec SA: #2; 000 "test/1x1": aliases: test 000 "test/1x1": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=ssortingct 000 "test/1x1": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2) 000 "test/1x1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-ssortingct 000 "test/1x1": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000 "test/1x1": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A> 000 "test/1x2": 172.31.9.78/32===172.31.9.78[AAAA]---172.31.0.1...172.31.0.1---BBBB<BBBB>===192.168.100.91/32; erouted; eroute owner: #3 000 "test/1x2": myip=172.31.9.78; hisip=unset; 000 "test/1x2": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingsortinges: 0 000 "test/1x2": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0; 000 "test/1x2": newest ISAKMP SA: #1; newest IPsec SA: #3; 000 "test/1x2": aliases: test 000 "test/1x2": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=ssortingct 000 "test/1x2": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2) 000 "test/1x2": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024 000 "test/1x2": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-ssortingct 000 "test/1x2": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000 "test/1x2": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A> 000 000 #2: "test/1x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2827s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "test/1x1" esp.e24dae0c@BBBB esp.3eb55fbb@172.31.9.78 tun.0@BBBB tun.0@172.31.9.78 ref=0 refhim=4294901761 000 #3: "test/1x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2814s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #3: "test/1x2" esp.1a18194a@BBBB esp.6f8873a1@172.31.9.78 tun.0@BBBB tun.0@172.31.9.78 ref=0 refhim=4294901761 000 #1: "test/1x2":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85524s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 

Routes créées par le client ipsec

 root@ip-172-31-9-78:/home/ubuntu# route -n Kernel IP routing table Destination Gateway Genmask Flags Mesortingc Ref Use Iface 0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0 172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 192.168.100.88 172.31.0.1 255.255.255.255 UGH 0 0 0 eth0 192.168.100.91 172.31.0.1 255.255.255.255 UGH 0 0 0 eth0 root@ip-172-31-9-78:/home/ubuntu# iptables-save # Generated by iptables-save v1.4.21 on Mon Jul 24 19:02:56 2017 *mangle :PREROUTING ACCEPT [4894:367857] :INPUT ACCEPT [4894:367857] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4276:1113850] :POSTROUTING ACCEPT [4276:1113850] COMMIT # Completed on Mon Jul 24 19:02:56 2017 # Generated by iptables-save v1.4.21 on Mon Jul 24 19:02:56 2017 *nat :PREROUTING ACCEPT [14:732] :INPUT ACCEPT [14:732] :OUTPUT ACCEPT [55:5293] :POSTROUTING ACCEPT [55:5293] COMMIT # Completed on Mon Jul 24 19:02:56 2017 # Generated by iptables-save v1.4.21 on Mon Jul 24 19:02:56 2017 *filter :INPUT ACCEPT [4880:366977] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4270:1113146] COMMIT # Completed on Mon Jul 24 19:02:56 2017 

Iptables

 root@ip-172-31-9-78:/home/ubuntu# iptables-save # Generated by iptables-save v1.4.21 on Mon Jul 24 19:02:56 2017 *mangle :PREROUTING ACCEPT [4894:367857] :INPUT ACCEPT [4894:367857] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4276:1113850] :POSTROUTING ACCEPT [4276:1113850] COMMIT # Completed on Mon Jul 24 19:02:56 2017 # Generated by iptables-save v1.4.21 on Mon Jul 24 19:02:56 2017 *nat :PREROUTING ACCEPT [14:732] :INPUT ACCEPT [14:732] :OUTPUT ACCEPT [55:5293] :POSTROUTING ACCEPT [55:5293] COMMIT # Completed on Mon Jul 24 19:02:56 2017 # Generated by iptables-save v1.4.21 on Mon Jul 24 19:02:56 2017 *filter :INPUT ACCEPT [4880:366977] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4270:1113146] COMMIT # Completed on Mon Jul 24 19:02:56 2017 

Plus d'informations sur le réseau

 root@ip-172-31-9-78:/home/ubuntu# ip -4 rst 0 default via 172.31.0.1 dev eth0 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.9.78 192.168.100.88 via 172.31.0.1 dev eth0 src 172.31.9.78 192.168.100.91 via 172.31.0.1 dev eth0 src 172.31.9.78 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 172.31.0.0 dev eth0 table local proto kernel scope link src 172.31.9.78 local 172.31.9.78 dev eth0 table local proto kernel scope host src 172.31.9.78 broadcast 172.31.15.255 dev eth0 table local proto kernel scope link src 172.31.9.78 root@ip-172-31-9-78:/home/ubuntu# ip xfrm state src BBBB dst 172.31.9.78 proto esp spi 0x6f8873a1 reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x05b373222ad4daac5521eb298a481dac 96 enc cbc(des3_ede) 0xfcede6f6c8cffb7304d6c9ca9c4da1d63ac2dc29725a424b encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 src 172.31.9.78 dst BBBB proto esp spi 0x1a18194a reqid 16389 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0xacb3443ae9ffe117668f21d55d2a1455 96 enc cbc(des3_ede) 0xbdac161ab97da8c31b90ceaccff7a8aab89b96db050c9b21 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 src BBBB dst 172.31.9.78 proto esp spi 0x3eb55fbb reqid 16385 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0xec9d09a4b6c7d42053d80906651de513 96 enc cbc(des3_ede) 0x715e1e4b3ce93148fb27bfcc9605765315abe2a57fff47c5 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 src 172.31.9.78 dst BBBB proto esp spi 0xe24dae0c reqid 16385 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0xc4be41a91ce1ad369ce1f6ee4ee12d90 96 enc cbc(des3_ede) 0xd1bc33105a6ae27d4557d0105d35bda82b46a25b2816d9d3 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 

Sortie Ping

 root@ip-172-31-9-78:/home/ubuntu# ping 192.168.100.88 PING 192.168.100.88 (192.168.100.88) 56(84) bytes of data. 

Je peux voir des packages traverser le tunnel pendant que je fais du ping ou essaye d'accéder à un service web sur le côté droit. Ils ont tous le timeout d'attente.

 root@ip-172-31-9-78:/home/ubuntu# tcpdump -v -n dst BBBB tcpdump: listning on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:26:15.502376 IP (tos 0x0, ttl 64, id 4889, offset 0, flags [DF], proto UDP (17), length 144) 172.31.9.78.4500 > BBBB4500: UDP-encap: ESP(spi=0x18759fd1,seq=0x1), length 116 19:26:16.509400 IP (tos 0x0, ttl 64, id 5073, offset 0, flags [DF], proto UDP (17), length 144) 172.31.9.78.4500 > BBBB4500: UDP-encap: ESP(spi=0x18759fd1,seq=0x2), length 116 19:26:17.517442 IP (tos 0x0, ttl 64, id 5122, offset 0, flags [DF], proto UDP (17), length 144) 172.31.9.78.4500 > BBBB4500: UDP-encap: ESP(spi=0x18759fd1,seq=0x3), length 116 19:26:18.525418 IP (tos 0x0, ttl 64, id 5218, offset 0, flags [DF], proto UDP (17), length 144) 172.31.9.78.4500 > BBBB4500: UDP-encap: ESP(spi=0x18759fd1,seq=0x4), length 116 19:26:19.533404 IP (tos 0x0, ttl 64, id 5239, offset 0, flags [DF], proto UDP (17), length 144) 172.31.9.78.4500 > BBBB4500: UDP-encap: ESP(spi=0x18759fd1,seq=0x5), length 116 19:26:20.541386 IP (tos 0x0, ttl 64, id 5411, offset 0, flags [DF], proto UDP (17), length 144) 172.31.9.78.4500 > BBBB4500: UDP-encap: ESP(spi=0x18759fd1,seq=0x6), length 116 19:26:21.549451 IP (tos 0x0, ttl 64, id 5554, offset 0, flags [DF], proto UDP (17), length 144) 172.31.9.78.4500 > BBBB4500: UDP-encap: ESP(spi=0x18759fd1,seq=0x7), length 116 

Il n'y avait aucun problème avec ma configuration. C'était un problème de configuration sur le pare-feu cisco du rackspace du client.

Bien que les routes de mon côté n'étaient pas correctement configurées. Pour une reference future, si vous voyez des packages sortir du tunnel avec tcpdump, les routes de votre côté fonctionnent.