MX60 to StrongSwan

SOLVED
SamHai
Conversationalist

MX60 to StrongSwan

Hey everyone,

 

Trying to set up a VPN from my MX60 (14.40 firmware) to Azure & AWS, and it seems like I'm hitting every possible roadblock with Azure. Here's a topology of what I'm trying to achieve (don't mind the poor design from a networking n00b):

https://www.lucidchart.com/invitations/accept/4624f655-72b1-49b7-9a97-6ab6254be063

 

Since MX appliances aren't compatible with Azure Virtual Network Gateways, I basically followed the instruction set here (http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html), and am trying to connect to a StrongSwan instance that's in its own Azure VNet (which is paired with my main Azure VNet) policies.

 

Support seems to think there's a Phase 1 lifetime mismatch, so I figured I'd post my settings here to see if anyone with a better eye can point out what I might be doing wrong:

Preset Azure IPSec policiesPreset Azure IPSec policiesNon-Meraki peer settingsNon-Meraki peer settings

 

StrongSwan ipsec.conf file:

conn %default
ikelifetime=28800s
rekeymargin=3600s
keyingtries=%forever
keyexchange=ikev1
aggressive=no
authby=psk
dpdaction=restart
dpddelay=30

 

conn remote-site
left=%defaultroute
leftsubnet=10.1.0.0/24 (Azure's encryption domain)
leftid=**.***.***.*** (StrongSwan VM public IP)
leftfirewall=yes
right=%any
rightsubnet=192.168.1.0/24 (My network's encryption domain)
rightid=***.**.***.** (MX60 public IP)
auto=add
ike=aes256-sha1-modp1024
esp=aes256-sha1

 

StrongSwan ipsec.secrets file:

%any %any : PSK "presharedkey"

 

Azure Route table

image.png

 

StrongSwan syslog:

Aug 22 22:31:36 StrongSwan charon: 13[IKE] remote host is behind NAT
Aug 22 22:31:36 StrongSwan charon: 13[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 22 22:31:36 StrongSwan charon: 13[NET] sending packet: from 10.1.0.4[500] to ***.**.***.**[500] (244 bytes)
Aug 22 22:31:36 StrongSwan charon: 05[NET] received packet: from ***.**.***.**[4500] to 10.1.0.4[4500] (76 bytes)
Aug 22 22:31:36 StrongSwan charon: 05[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug 22 22:31:36 StrongSwan charon: 05[CFG] looking for pre-shared key peer configs matching 10.1.0.4...***.**.***.**[192.168.1.140]
Aug 22 22:31:36 StrongSwan charon: 05[IKE] no peer config found
Aug 22 22:31:36 StrongSwan charon: 05[ENC] generating INFORMATIONAL_V1 request 1626992101 [ HASH N(AUTH_FAILED) ]
Aug 22 22:31:36 StrongSwan charon: 05[NET] sending packet: from 10.1.0.4[4500] to ***.**.***.**[4500] (92 bytes)

 

Meraki Event log:

image.png

 

Troubleshooting steps taken:

All address spaces have internet access

Port forwarding configured for 4500 and 500

172.16 (AWS VPC), 10.0 (Azure Main VNet), and 10.1 (Azure VPN VNet) can all ping each other and pass all traffic

192.168 (Corporate Network) and 172.16 (AWS VPC) can ping each other and pass all traffic

192.168 can't reach anything in the 10.* space - no ping and not unique traffic

Double-checked ipsec.conf to match MX IPSec policies

Tried different PSKs, including super simple ones

Changed ipsec.conf 'authby' parameter to 'secret'

Rebooted MX and StrongSwan instance

 

Nothing seems to work. Any idea here?

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

I see.  There are two parameters.

 

right=<public ip of peer>

rightid=<actual ip address on MX WAN interface>

View solution in original post

11 REPLIES 11
PhilipDAth
Kind of a big deal
Kind of a big deal

The important bit is this:

>Aug 22 22:31:36 StrongSwan charon: 05[CFG] looking for pre-shared key peer configs matching 10.1.0.4...***.**.***.**[192.168.1.140]
>Aug 22 22:31:36 StrongSwan charon: 05[IKE] no peer config found

 

That usually means StrongSwan can't find a matching peer in the ipsec.secrets file.  Your ipsec.secrets file looks correct to me - it is matching "any" source and "any" destination.

 

I have found some versions of StrongSwan to be a little finicky about this.  Perhaps try this alternative:

%any <IP address on MX WAN> : PSK "..."

For example, if your MX had a private IP of 192.168.1.2 on its WAN interface, put:

%any 192.168.1.2 : PSK "..."

 

Now I see some private IP addresses in the log.  Does your MX have a private IP address that is sitting behind something doing NAT?  If so, perhaps trying changing rightid to be the actual IP address on the WAN interface of the MX.

SamHai
Conversationalist

The MX is at the very edge of my network (except the actual cable modem). My modem isn't doing any NAT, and I don't have any NAT or port forwarding configured on the MX.

 

It's odd because my WAN 1 is displaying both is public and private IPs, so I'm not sure which one to use for rightid

image.png

 

EDIT: I ended up using the Public IP of my MX for the rightid, and changing the destination to the private IP of my WAN1 in ipsec.secrets. It looks like it's recognizing the public-private IP pairing, but it's still a similar set of errors:

Aug 23 20:15:36 StrongSwan charon: 11[IKE] local host is behind NAT, sending keep alives
Aug 23 20:15:36 StrongSwan charon: 11[IKE] remote host is behind NAT
Aug 23 20:15:36 StrongSwan charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 23 20:15:36 StrongSwan charon: 11[NET] sending packet: from 10.1.0.4[500] to 136.49.171.24[500] (244 bytes)
Aug 23 20:15:37 StrongSwan charon: 12[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (76 bytes)
Aug 23 20:15:37 StrongSwan charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
Aug 23 20:15:37 StrongSwan charon: 12[CFG] looking for pre-shared key peer configs matching 10.1.0.4...136.49.171.24[192.168.1.140]
Aug 23 20:15:37 StrongSwan charon: 12[IKE] no peer config found
Aug 23 20:15:37 StrongSwan charon: 12[ENC] generating INFORMATIONAL_V1 request 2461985670 [ HASH N(AUTH_FAILED) ]
Aug 23 20:15:37 StrongSwan charon: 12[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)

PhilipDAth
Kind of a big deal
Kind of a big deal

Your peer ID is 192.168.1.140 - and the MX is running through a device doing NAT.  So use that in the Strongswan config.

 

To increase relaibility, you should also NAT through ports udp/500 and udp/4500 on your cable modem through to your MX.

SamHai
Conversationalist

I think I know what you mean, though I'm a bit confused on how StrongSwan will know to hit my network across the internet without a public IP (even with NAT).

PhilipDAth
Kind of a big deal
Kind of a big deal

I see.  There are two parameters.

 

right=<public ip of peer>

rightid=<actual ip address on MX WAN interface>

SamHai
Conversationalist

Ah, gotcha.

 

Revised the settings on ipsec.conf to what you recommended:

conn %default
ikelifetime=28800s
rekeymargin=3600s
keyingtries=%forever
keyexchange=ikev1
aggressive=no
authby=psk
dpdaction=restart
dpddelay=30

conn remote-site
left=%defaultroute
leftsubnet=10.1.0.0/24
leftid=40.84.188.110
leftfirewall=yes
right=136.49.171.24
rightsubnet=192.168.1.0/24
rightid=192.168.1.140
auto=add

ike=aes256-sha1-md5-modp1024
esp=aes256-sha1

 

In addition to enabling port forwarding on my modem:

image.png

 

That seems to have established a preliminary connection (according to Meraki):

image.png

image.png

 

Meraki Packet Capture:

--- Start Of Stream ---
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan0_sniff, link-type EN10MB (Ethernet), capture size 262144 bytes
17:31:36.670840 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive
17:31:36.935180 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:36.965831 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:46.971176 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:47.001674 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:56.682817 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive
17:31:57.007180 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:31:57.038460 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:07.051187 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:07.081895 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:16.694814 IP 192.168.1.140.4500 > 40.84.188.110.4500: isakmp-nat-keep-alive
17:32:17.087190 IP 192.168.1.140.4500 > 40.84.188.110.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
17:32:17.118141 IP 40.84.188.110.4500 > 192.168.1.140.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
--- End Of Stream ---

 

 

Problem is I still can't pass traffic across the tunnel. I can't ping anything in my 192.168 subnet from my Azure Windows VM or even my StrongSwan instance

 

Aug 26 17:27:36 StrongSwan charon: 12[ENC] generating INFORMATIONAL_V1 request 2091158197 [ HASH N(DPD_ACK) ]
Aug 26 17:27:36 StrongSwan charon: 12[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)
Aug 26 17:27:46 StrongSwan charon: 13[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (92 bytes)
Aug 26 17:27:46 StrongSwan charon: 13[ENC] parsed INFORMATIONAL_V1 request 3753890785 [ HASH N(DPD) ]
Aug 26 17:27:46 StrongSwan charon: 13[ENC] generating INFORMATIONAL_V1 request 3777594473 [ HASH N(DPD_ACK) ]
Aug 26 17:27:46 StrongSwan charon: 13[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)
Aug 26 17:27:56 StrongSwan charon: 16[NET] received packet: from 136.49.171.24[4500] to 10.1.0.4[4500] (92 bytes)
Aug 26 17:27:56 StrongSwan charon: 16[ENC] parsed INFORMATIONAL_V1 request 2834277021 [ HASH N(DPD) ]
Aug 26 17:27:56 StrongSwan charon: 16[ENC] generating INFORMATIONAL_V1 request 4104792313 [ HASH N(DPD_ACK) ]
Aug 26 17:27:56 StrongSwan charon: 16[NET] sending packet: from 10.1.0.4[4500] to 136.49.171.24[4500] (92 bytes)

PhilipDAth
Kind of a big deal
Kind of a big deal

That does look much better.  Can you ping the pirvate LAN IP on the StrongSwan box from your MX60 site?

SamHai
Conversationalist

Tried to ping both private IPs of my Azure VMs and the public IP of the StrongSwan instance from the MX appliance and got a 100% loss rate.

 

I checked the ACLs and Security Groups in Azure, and I explicitly allowed traffic from my network, so that shouldn't be the issue.

PhilipDAth
Kind of a big deal
Kind of a big deal

Can you pibg the private IP on the StrongSwan instance though?

 

I asked this because this doesn't use any Azure routing or security groups.  If that works then I know the VPN is working and to only look at the Azure side.

If it doesn't work then I know we still have a VPN issue.

SamHai
Conversationalist

Looks like it just took time for the SA to form. I can ping private IPs on the Azure side in the 10.1 subnet. Now to figure out how to ping private IPs in the 10.0 subnet. Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal

Change from:

leftsubnet=10.1.0.0/24

to:

leftsubnet=10.1.0.0/24,10.0.0.0/24

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels