IPSEC VPN problem, tunnel established but no traffic possible

Issues related to configuring your network
z3us
Posts: 21
Joined: 2017/01/05 10:45:38

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by z3us » 2017/01/06 23:04:02

vtx wrote:forceencaps=yes

damn, right, then ofcourse no esp visible in tcpdump since those were encapsulated in udp/4500.

who is blocking your udp/500?
This entry was a once in while entry.
Didn't saw that line again.
I also tried disabling all firewalls, but no luck.

I've just removed the lines: forceencaps=yes and restarted the ipsec service.
Still nothing in the dump...

z3us
Posts: 21
Joined: 2017/01/05 10:45:38

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by z3us » 2017/01/07 09:50:55

I've just rebuild my setup in a testing environment with exact the same settings but other IP-addresses.
I have the exact same problem in there.
Tunnel up, but no communication between the internal subnets.
Also nothing to see when capturing packets.

vtx
Posts: 37
Joined: 2016/12/26 18:25:28

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by vtx » 2017/01/07 10:07:48

a completer dump for your purpose would be

Code: Select all

tcpdump -i any -nn icmp or esp or udp port 500 or udp port 4500
I'm tempted to set up an IPSec VPN host myself with your settings towards your VPN host just to see what the h*ll is going on.

z3us
Posts: 21
Joined: 2017/01/05 10:45:38

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by z3us » 2017/01/07 10:21:11

More output now in the dump:

Code: Select all

tcpdump -i any -nn icmp or esp or udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:18:07.911201 IP 185.87.*.*.500 > 185.107.*.*.500: isakmp: phase 2/others ? inf[E]
11:18:10.797979 IP 185.107.*.*.500 > 185.87.*.*.500: isakmp: phase 1 I ident
11:18:10.802429 IP 185.87.*.*.500 > 185.107.*.*.500: isakmp: phase 1 R ident
11:18:10.804447 IP 185.107.*.*.500 > 185.87.*.*.500: isakmp: phase 1 I ident
11:18:10.810633 IP 185.87.*.*.500 > 185.107.*.*.500: isakmp: phase 1 R ident
11:18:10.831617 IP 185.107.*.*.500 > 185.87.*.*.500: isakmp: phase 1 I ident[E]
11:18:10.836771 IP 185.87.*.*.500 > 185.107.*.*.500: isakmp: phase 1 R ident[E]
11:18:10.840099 IP 185.107.*.*.500 > 185.87.*.*.500: isakmp: phase 2/others I oakley-quick[E]
11:18:10.852065 IP 185.87.*.*.500 > 185.107.*.*.500: isakmp: phase 2/others R oakley-quick[E]
11:18:10.887573 IP 185.107.*.*.500 > 185.87.*.*.500: isakmp: phase 2/others I oakley-quick[E]
The tunnel is working well I guess.
Where to start troubleshooting the routes, can I look into more logfiles?

z3us
Posts: 21
Joined: 2017/01/05 10:45:38

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by z3us » 2017/01/07 10:40:15

When tracerouting the internal subnet of the other vpn host i get:

Code: Select all

traceroute 10.106.0.1
traceroute to 10.106.0.1 (10.106.0.1), 30 hops max, 60 byte packets
 1  185.87.*.1 (185.87.*.1)  6.236 ms  6.232 ms  6.226 ms
 2  * * *
 3  * * *
 4  * * *
185.87.*.1 is not one of my IP's and also not the default gateway of my host systems.
Could this by a routing problem at my VPS hosting company?

vtx
Posts: 37
Joined: 2016/12/26 18:25:28

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by vtx » 2017/01/07 10:45:02

The SA was established well. So that part indeed seems to work ok. But I'm lost as to why you cannot ping through that tunnel. Have you set leftsourceip and rightsourceip? Even then I want to know why no route was added by pluto. I have no Centos/*swan combination running with the same version as you do.

So, I'm in the process of setting up two brand new IPsec hosts to simulate what you are seeing (or not). This will take a few minutes.
Could this by a routing problem at my VPS hosting company?
No, it means that the packet that is supposed to go through the tunnel is going out via your default gateway, and gets (rightfully) blocked one or a few hops further away when it tries to escape towards the internet.

So, it definitely is a routing problem on hour ipsec host, caused by the missing route that should have been added by libreswan, and was not, or was added and immediately removed afterwards.

z3us
Posts: 21
Joined: 2017/01/05 10:45:38

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by z3us » 2017/01/07 10:59:28

vtx wrote:The SA was established well. So that part indeed seems to work ok. But I'm lost as to why you cannot ping through that tunnel. Have you set leftsourceip and rightsourceip?
Yes, I defined on both machines:

Code: Select all

 left=185.107.*.*
 leftsubnet=10.105.0.0/24
 leftnexthop=%defaultroute
 right=185.87.*.*
 rightsubnet=10.106.0.0/24
Full config machine A:

Code: Select all

config setup
	protostack=netkey
	interfaces=%defaultroute
	hidetos=no
	oe=off
	logfile=/var/log/pluto.log
	plutodebug=all
	klipsdebug=none
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	keep_alive=60

include /etc/ipsec.d/*.conf

Code: Select all

conn A-B
 authby=secret
 auto=start
 type=tunnel
 left=185.107.*.*
 leftsubnet=10.105.0.0/24
 leftnexthop=%defaultroute
 right=185.87.*.*
 rightsubnet=10.106.0.0/24
 rightnexthop=%defaultroute
 compress=no
 ikelifetime=60m
 pfs=no
 ike=aes256-sha1-modp1024
 phase2=esp
 phase2alg=aes256-sha1;modp2048
Full config machine B:

Code: Select all

config setup
	protostack=netkey
	interfaces=%defaultroute
	hidetos=no
	oe=off
	logfile=/var/log/pluto.log
	plutodebug=all
	klipsdebug=none
	dumpdir=/var/run/pluto/
	nat_traversal=yes
	keep_alive=60

include /etc/ipsec.d/*.conf

Code: Select all

conn A-B
 authby=secret
 auto=add
 type=tunnel
 left=185.107.*.*
 leftsubnet=10.105.0.0/24
 leftnexthop=%defaultroute
 right=185.87.*.*
 rightsubnet=10.106.0.0/24
 rightnexthop=%defaultroute
 compress=no
 ikelifetime=60m
 pfs=no
 ike=aes256-sha1-modp1024
 phase2=esp
 phase2alg=aes256-sha1;modp2048
 

vtx
Posts: 37
Joined: 2016/12/26 18:25:28

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by vtx » 2017/01/07 11:01:15

That missing routing entry could - for the sake of testing - be temporarily added manually after bringing up the SA by issuing the following commands on both tunnel ends respectively:

Code: Select all

ip route add 10.106.0.0/24 via 185.107.*.* dev eth0 src 10.105.0.1

Code: Select all

ip route add 10.105.0.0/24 via 185.87.*.* dev eth0 src 10.106.0.1
Note that you did *not* define leftsourceip and rightsourceip.

z3us
Posts: 21
Joined: 2017/01/05 10:45:38

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by z3us » 2017/01/07 11:13:19

vtx wrote:That missing routing entry could - for the sake of testing - be temporarily added manually after bringing up the SA by issuing the following commands on both tunnel ends respectively:

Code: Select all

ip route add 10.106.0.0/24 via 185.107.*.* dev eth0 src 10.105.0.1

Code: Select all

ip route add 10.105.0.0/24 via 185.87.*.* dev eth0 src 10.106.0.1
Note that you did *not* define leftsourceip and rightsourceip.
When adding routes manually I get:

Code: Select all

RTNETLINK answers: File exists
I'm sorry, I thought I had them defined with: left= and right=
I now added leftsourceip= and rightsourceip= on both servers.

Stil nothing btw... :(

vtx
Posts: 37
Joined: 2016/12/26 18:25:28

Re: IPSEC VPN problem, tunnel established but no traffic possible

Post by vtx » 2017/01/07 11:18:47

"File exists" is a misnomer for "route already present". The routing table you showed earlier on did not define this route, but now it seems to be present???

Code: Select all

ip route show table main

Post Reply