I am having a real hard time getting a Centos server passing traffic. I can see the phase1, support says they see phase2.
Something im missing? Anyone can help out with this? In dashboard I see the 3rd party vpn 'green; however can not pass traffic.
Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: Port pool depleted
Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: isakmp_cfg_config.port_pool == NULL
Dec 05 10:35:54 172.250.xx.xx logger: <134>1 1512498954.876248811 Warden_Norton events Site-to-site VPN: initiate new phase 1 negotiation: 172.250.xx.xx[500]<=>138.197.xx.xx[500] Dec 05 10:35:54 172.250.xx.xx logger: <134>1 1512498954.916584505 Warden_Norton events Site-to-site VPN: ISAKMP-SA established 172.250.xx.xx[4500]-138.197.xx.xx[4500] spi:c01173e9csd7ff643aa:c45a9c5dasdsad7e68018a [root@dns-ca1 ~]# strongswan statusall meraki-vpn Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-693.5.2.el7.x86_64, x86_64): uptime: 11 days, since Nov 24 03:47:52 2017 malloc: sbrk 1622016, mmap 0, used 502864, free 1119152 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity Listening IP addresses: 138.197.xx.xx Connections: meraki-vpn: 138.197.xx.xx...172.250.xx.xx IKEv1 meraki-vpn: local: [138.197.xx.xx] uses pre-shared key authentication meraki-vpn: remote: [172.250.xx.xx] uses pre-shared key authentication meraki-vpn: child: 10.99.10.0/24 === 192.168.88.0/24 10.255.255.0/24 192.168.89.0/24 TUNNEL Security Associations (1 up, 0 connecting): meraki-vpn[1]: ESTABLISHED 47 seconds ago, 138.197.xx.xx[138.197.xx.xx]...172.250.xx.xx[172.250.xx.xx] meraki-vpn[1]: IKEv1 SPIs: c01173ejj97hff643aa_i c45a9c5d7e68jhf018a_r*, pre-shared key reauthentication in 7 hours meraki-vpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 [root@dns-ca1 ~]# [root@dns-ca1 ~]# cat /etc/ipsec.conf config setup # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=28800s keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn meraki-vpn aggressive=no mobike=yes left=138.197.xx.xx leftsubnet=10.99.10.0/24 leftid=138.197.xx.xx leftfirewall=yes leftsourceip=10.99.10.2 right=172.250.xx.xx rightsubnet=192.168.88.0/24,10.255.255.0/24,192.168.89.0/24 # rightsubnet=192.168.88.0/24 rightid=172.250.xx.xx auto=add type=tunnel ike=3des-md5-modp1024,3des-sha1-modp1024! esp=3des-md5,3des-sha1 [root@dns-ca1 ~]# [root@dns-ca1 ~]# ip -s xfrm policy src 10.99.10.0/24 dst 192.168.88.0/24 uid 0 dir out action allow index 65 priority 375423 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-12-05 18:50:10 use - tmpl src 138.197.xx.xx dst 172.250.xx.xx proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.88.0/24 dst 10.99.10.0/24 uid 0 dir fwd action allow index 82 priority 375423 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-12-05 18:50:10 use - tmpl src 172.250.xx.xx dst 138.197.xx.xx proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.88.0/24 dst 10.99.10.0/24 uid 0 dir in action allow index 72 priority 375423 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-12-05 18:50:10 use - tmpl src 172.250.xx.xx dst 138.197.xx.xx proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
Have you enabled IP forwarding? Edit /etc/sysctl.conf and set:
net.ipv4.ip_forward = 1
This is an exact example of what we use when building VPNs between Meraki and Strong Swan when it is hosted in Amazon AWS.
conn %default
ikelifetime=1440m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
authby=secret
dpdaction=restart
dpddelay=30
conn customer
left=%defaultroute
leftsubnet=10.0.xx.xx/24 <amazon encryption domain>
leftid=54.xx.xx.xx <amazon public IP of VPN server>
leftfirewall=yes
right=%any
rightsubnet=192.168.xx.xx/24 <remote encryption domain>
auto=add
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
I have the following in there
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
I will try your config now
Unfortunately I am getting the same result, this is the first time connecting a Linux box via ipsec so Im sorta reading docs to sort this one out.
ifconfig eth0:0 10.99.10.2 netmask 255.255.255.0
ip route add table 220 192.168.88.0/24 dev eth0
Ive tried adding to the route table... adding a IP address to eth0, firewall up/down/sideways etc.
You don't need to touch the route table (normally).
Is this running "on a stick", or does the Linux server have an inside and outside interface?
Single interface eth0, I originally just did a /30 but all the guides I was following was a /24
My goal is just to access the digitalocean box on the internal connection
Are you able to ping the internal IP address on the StrongSwan box over the VPN?
nothing is in ifconfig or ip link
I can add the address via 'ifconfig eth0:0 10.99.10.2 netmask 255.255.255.0' still nada.
How are you SSH'ing to the box if it has no IP address?
Can the Linux box ping 8.8.8.8?
Sorry- Only 1 public IP address, no LAN segment.
I was referring to the ip for the internal side (left)
leftsubnet=10.99.10.0/24
leftid=138.197.xx.xx
leftfirewall=yes
leftsourceip=10.99.10.2
This might be a question for your hosting provider.
Your machine needs to be able to ping internal hosts.
This isnt a router, its a box/vm with services.
the goal is to connect to the machine via the VPN not on the public facing interface with a /30
You need to get to the point where the VM terminating the VPN can ping all the other VM's you want to talk to via the VPN.
IT is the machine. its a DNS machine.
I have it connected to a PaloAlto box (my home) cant connect and pass traffic to the MX.
Its not a router to pass traffic to a intern segment, its the box it self connecting to the VPN for local/remote access via the VPN.
https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration#Linux
In that case, if the machine has a single IP address; a public IP address; then that is your encryption domain. You want all traffic from your network to and from that public IP address to be encrypted.
Hi!
I know it's an old topic but I managed to get a VPN working from my MX to my DigitalOcean droplet but I still have one issue: I can't ping other droplets in my subnet (10.137.0.0/16), all my VM are in this subnet.
I can ping 8.8.8.8 from the VM, I can ping my VM private IP from my local PC, my VoIP phones are all working correctly has the VPN server (Strongswan) is on that VM.
Also, I enabled IP forwarding and played with a few iptables to see if I could get it to work but no.
Does anyone have an idea?
Does whatever is acting as the default gateway in Digital Ocean have a route for your office subnet via your Strongswan instance?
Yes, I can ping any local machine (behind my home MX) from the VM. Anyone of them.
BUT, I can't ping other VMs in my subnet from my local machines.
So: MX = 192.168.1.0/24, DO = 10.137.0.0/16
From MX -> I can ping the VPN VM, but not the other VM local to it.
From DO -> I can ping any machines on the MX network.
On DigitalOcean, there's no "gateway", the public IP is bound directly to the VM and the private IP is just a 10.137.0.0/16;255.255.0.0 in my case (Toronto datacenter). All my other VMs are in the same private subnet.
In that case you will need to add a static route on each host in Digital Ocean for your home subnet pointing via the Strongswan instance.
What OS are your machines running in Digital Ocean?
can you post your config? I never wasnt able to ping any side.
@ohv_ wrote:can you post your config? I never wasnt able to ping any side.
First, you need these:
Note that this is not a 100% secure as I am using a dynamic IP (see rightid below)
Here's my /etc/ipsec.conf
conn %default ikelifetime=1440m rekeymargin=3m keyingtries=%forever keyexchange=ikev1 authby=secret dpdaction=restart dpddelay=30 conn remote-site left=%defaultroute leftsubnet=<VM Private Subnet/Mask, ex: 10.137.0.0/16> leftid=<VM Public IP> leftfirewall=yes right=%any rightsubnet=<Local Subnet/Mask, ex: 192.168.0.0/16> #rightid=123.123.123.123 <Static IP> rightid=%any # <Dynamic IP> auto=add ike=aes256-sha1-modp1024 esp=aes256-sha1
Then, in /etc/ipsec.secrets :
%any %any : PSK "Y0ur5tr0ngP@55w0rd"
On the MX side:
I didn't have to add any routes or iptables, as Strongswan does it automatically. This way, you can communicate with the VM but not with the private subnet (depends on the provider, DigitalOcean blocks it), BUT the VM can see both my local VLANs and my VoIP phones are working perfectly.
It looks like you have thee subnets, so test it first on a Digital Ocean machine with:
ip route add 192.168.88.0/24 via 10.99.10.2
ip route add 10.255.255.0/24 via 10.99.10.2
ip route add 192.168.89.0/24 via 10.99.10.2
Assuming 10.99.10.2 is your StrongSwan machine. If after doing that you can ping the machine then add it to rc.local so it happens every boot. You'll need to be root to execute the above commands.
@PhilipDAth wrote:It looks like you have thee subnets, so test it first on a Digital Ocean machine with:
ip route add 192.168.88.0/24 via 10.99.10.2
ip route add 10.255.255.0/24 via 10.99.10.2
ip route add 192.168.89.0/24 via 10.99.10.2
Assuming 10.99.10.2 is your StrongSwan machine. If after doing that you can ping the machine then add it to rc.local so it happens every boot. You'll need to be root to execute the above commands.
I figured out why it wouldn't work. Strongswan does the routes automatically, but DigitalOcean (my provider) doesn't allow traffic from different source IP (other than a private IP) to be forwarded to private networks. In other words, the VM is reachable, but not the network behind it.