VPN to Linux IPsec

ohv_
Conversationalist

VPN to Linux IPsec

I am having a real hard time getting a Centos server passing traffic. I can see the phase1, support says they see phase2.

 

Something im missing? Anyone can help out with this? In dashboard I see the 3rd party vpn 'green; however can not pass traffic.

 

 

Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: Port pool depleted
Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: isakmp_cfg_config.port_pool == NULL

Dec 05 10:35:54 172.250.xx.xx logger: <134>1 1512498954.876248811 Warden_Norton events Site-to-site VPN: initiate new phase 1 negotiation: 172.250.xx.xx[500]<=>138.197.xx.xx[500] Dec 05 10:35:54 172.250.xx.xx logger: <134>1 1512498954.916584505 Warden_Norton events Site-to-site VPN: ISAKMP-SA established 172.250.xx.xx[4500]-138.197.xx.xx[4500] spi:c01173e9csd7ff643aa:c45a9c5dasdsad7e68018a [root@dns-ca1 ~]# strongswan statusall meraki-vpn Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-693.5.2.el7.x86_64, x86_64): uptime: 11 days, since Nov 24 03:47:52 2017 malloc: sbrk 1622016, mmap 0, used 502864, free 1119152 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity Listening IP addresses: 138.197.xx.xx Connections: meraki-vpn: 138.197.xx.xx...172.250.xx.xx IKEv1 meraki-vpn: local: [138.197.xx.xx] uses pre-shared key authentication meraki-vpn: remote: [172.250.xx.xx] uses pre-shared key authentication meraki-vpn: child: 10.99.10.0/24 === 192.168.88.0/24 10.255.255.0/24 192.168.89.0/24 TUNNEL Security Associations (1 up, 0 connecting): meraki-vpn[1]: ESTABLISHED 47 seconds ago, 138.197.xx.xx[138.197.xx.xx]...172.250.xx.xx[172.250.xx.xx] meraki-vpn[1]: IKEv1 SPIs: c01173ejj97hff643aa_i c45a9c5d7e68jhf018a_r*, pre-shared key reauthentication in 7 hours meraki-vpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 [root@dns-ca1 ~]# [root@dns-ca1 ~]# cat /etc/ipsec.conf config setup # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=28800s keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn meraki-vpn aggressive=no mobike=yes left=138.197.xx.xx leftsubnet=10.99.10.0/24 leftid=138.197.xx.xx leftfirewall=yes leftsourceip=10.99.10.2 right=172.250.xx.xx rightsubnet=192.168.88.0/24,10.255.255.0/24,192.168.89.0/24 # rightsubnet=192.168.88.0/24 rightid=172.250.xx.xx auto=add type=tunnel ike=3des-md5-modp1024,3des-sha1-modp1024! esp=3des-md5,3des-sha1 [root@dns-ca1 ~]# [root@dns-ca1 ~]# ip -s xfrm policy src 10.99.10.0/24 dst 192.168.88.0/24 uid 0 dir out action allow index 65 priority 375423 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-12-05 18:50:10 use - tmpl src 138.197.xx.xx dst 172.250.xx.xx proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.88.0/24 dst 10.99.10.0/24 uid 0 dir fwd action allow index 82 priority 375423 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-12-05 18:50:10 use - tmpl src 172.250.xx.xx dst 138.197.xx.xx proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.88.0/24 dst 10.99.10.0/24 uid 0 dir in action allow index 72 priority 375423 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-12-05 18:50:10 use - tmpl src 172.250.xx.xx dst 138.197.xx.xx proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

 

26 Replies 26
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you enabled IP forwarding?  Edit /etc/sysctl.conf and set:

net.ipv4.ip_forward = 1

 

 

This is an exact example of what we use when building VPNs between Meraki and Strong Swan when it is hosted in Amazon AWS.

 

conn %default
 ikelifetime=1440m
 rekeymargin=3m
 keyingtries=%forever
 keyexchange=ikev1
 authby=secret
 dpdaction=restart
 dpddelay=30

 

conn customer
 left=%defaultroute
 leftsubnet=10.0.xx.xx/24 <amazon encryption domain>
 leftid=54.xx.xx.xx <amazon public IP of VPN server>
 leftfirewall=yes
 right=%any
 rightsubnet=192.168.xx.xx/24 <remote encryption domain>
 auto=add
 ike=aes128-sha1-modp1024
 esp=aes128-sha1-modp1024

ohv_
Conversationalist

I have the following in there

 

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

 

I will try your config now

ohv_
Conversationalist

Unfortunately I am getting the same result, this is the first time connecting a Linux box via ipsec so Im sorta reading docs to sort this one out.

 

 

ifconfig eth0:0 10.99.10.2 netmask 255.255.255.0
ip route add table 220 192.168.88.0/24 dev eth0

 

Ive tried adding to the route table... adding a IP address to eth0, firewall up/down/sideways etc.

PhilipDAth
Kind of a big deal
Kind of a big deal

You don't need to touch the route table (normally).

 

Is this running "on a stick", or does the Linux server have an inside and outside interface?

ohv_
Conversationalist

Single interface eth0, I originally just did a /30 but all the guides I was following was a /24

 

My goal is just to access the digitalocean box on the internal connection

ohv_
Conversationalist

@PhilipDAth any ideas on this one?

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you able to ping the internal IP address on the StrongSwan box over the VPN?

ohv_
Conversationalist

nothing is in ifconfig or ip link

 

I can add the address via 'ifconfig eth0:0 10.99.10.2 netmask 255.255.255.0' still nada.

PhilipDAth
Kind of a big deal
Kind of a big deal

How are you SSH'ing to the box if it has no IP address?

 

Can the Linux box ping 8.8.8.8?

ohv_
Conversationalist

Sorry- Only 1 public IP address, no LAN segment. 

 

I was referring to the ip for the internal side (left)

 

leftsubnet=10.99.10.0/24
leftid=138.197.xx.xx
leftfirewall=yes
leftsourceip=10.99.10.2

PhilipDAth
Kind of a big deal
Kind of a big deal

This might be a question for your hosting provider.

 

Your machine needs to be able to ping internal hosts.

ohv_
Conversationalist

This isnt a router, its a box/vm with services. 

 

the goal is to connect to the machine via the VPN not on the public facing interface with a /30

PhilipDAth
Kind of a big deal
Kind of a big deal

You need to get to the point where the VM terminating the VPN can ping all the other VM's you want to talk to via the VPN.

ohv_
Conversationalist

IT is the machine. its a DNS machine.

I have it connected to a PaloAlto box (my home) cant connect and pass traffic to the MX.

 

Its not a router to pass traffic to a intern segment, its the box it self connecting to the VPN for local/remote access via the VPN. 

 

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration#Linux

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

In that case, if the machine has a single IP address; a public IP address; then that is your encryption domain.  You want all traffic from your network to and from that public IP address to be encrypted.

fmarcoux96
Getting noticed

Hi!

 

I know it's an old topic but I managed to get a VPN working from my MX to my DigitalOcean droplet but I still have one issue: I can't ping other droplets in my subnet (10.137.0.0/16), all my VM are in this subnet.

 

I can ping 8.8.8.8 from the VM, I can ping my VM private IP from my local PC, my VoIP phones are all working correctly has the VPN server (Strongswan) is on that VM.

 

Also, I enabled IP forwarding and played with a few iptables to see if I could get it to work but no.

 

Does anyone have an idea?

PhilipDAth
Kind of a big deal
Kind of a big deal

Does whatever is acting as the default gateway in Digital Ocean have a route for your office subnet via your Strongswan instance?

fmarcoux96
Getting noticed

Yes, I can ping any local machine (behind my home MX) from the VM. Anyone of them.

 

BUT, I can't ping other VMs in my subnet from my local machines.

 

So: MX = 192.168.1.0/24, DO = 10.137.0.0/16

From MX -> I can ping the VPN VM, but not the other VM local to it.

From DO -> I can ping any machines on the MX network.

 

On DigitalOcean, there's no "gateway", the public IP is bound directly to the VM and the private IP is just a 10.137.0.0/16;255.255.0.0 in my case (Toronto datacenter). All my other VMs are in the same private subnet.

PhilipDAth
Kind of a big deal
Kind of a big deal

In that case you will need to add a static route on each host in Digital Ocean for your home subnet pointing via the Strongswan instance.

fmarcoux96
Getting noticed

So how I do that?

And shouldn't I only need to create a route from the VPN VM to the private subnet FROM the strongswan interface?
PhilipDAth
Kind of a big deal
Kind of a big deal

What OS are your machines running in Digital Ocean?

fmarcoux96
Getting noticed

All running Debian 9
ohv_
Conversationalist

can you post your config? I never wasnt able to ping any side.

fmarcoux96
Getting noticed


@ohv_ wrote:

can you post your config? I never wasnt able to ping any side.

First, you need these:

  • Cloud VM Public IP
  • Cloud VM Private Subnet and Mask
  • Local Subnet and Mask

Note that this is not a 100% secure as I am using a dynamic IP (see rightid below)

 

Here's my /etc/ipsec.conf

conn %default
        ikelifetime=1440m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev1
        authby=secret
        dpdaction=restart
        dpddelay=30

conn remote-site
        left=%defaultroute
        leftsubnet=<VM Private Subnet/Mask, ex: 10.137.0.0/16>
        leftid=<VM Public IP>
        leftfirewall=yes
        right=%any
        rightsubnet=<Local Subnet/Mask, ex: 192.168.0.0/16>
        #rightid=123.123.123.123 <Static IP>
        rightid=%any # <Dynamic IP>
        auto=add
        ike=aes256-sha1-modp1024
        esp=aes256-sha1

 Then, in /etc/ipsec.secrets :

%any %any : PSK "Y0ur5tr0ngP@55w0rd"

On the MX side:

  • Public IP : your VM public IP
  • Private Subnets : your VM private subnet/mask, ex: 10.137.0.0/16
  • Policies : Azure
  • Preshared Secret: Your password entered in ipsec.secrets

 

I didn't have to add any routes or iptables, as Strongswan does it automatically. This way, you can communicate with the VM but not with the private subnet (depends on the provider, DigitalOcean blocks it), BUT the VM can see both my local VLANs and my VoIP phones are working perfectly.


PhilipDAth
Kind of a big deal
Kind of a big deal

It looks like you have thee subnets, so test it first on a Digital Ocean machine with:

 

ip route add 192.168.88.0/24 via 10.99.10.2
ip route add 10.255.255.0/24 via 10.99.10.2
ip route add 192.168.89.0/24 via 10.99.10.2

 

Assuming 10.99.10.2 is your StrongSwan machine.  If after doing that you can ping the machine then add it to rc.local so it happens every boot.  You'll need to be root to execute the above commands.

fmarcoux96
Getting noticed


@PhilipDAth wrote:

It looks like you have thee subnets, so test it first on a Digital Ocean machine with:

 

ip route add 192.168.88.0/24 via 10.99.10.2
ip route add 10.255.255.0/24 via 10.99.10.2
ip route add 192.168.89.0/24 via 10.99.10.2

 

Assuming 10.99.10.2 is your StrongSwan machine.  If after doing that you can ping the machine then add it to rc.local so it happens every boot.  You'll need to be root to execute the above commands.


I figured out why it wouldn't work. Strongswan does the routes automatically, but DigitalOcean (my provider) doesn't allow traffic from different source IP (other than a private IP) to be forwarded to private networks. In other words, the VM is reachable, but not the network behind it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels