Meraki

ohv_ · ‎Dec 5 2017

I am having a real hard time getting a Centos server passing traffic. I can see the phase1, support says they see phase2.

Something im missing? Anyone can help out with this? In dashboard I see the 3rd party vpn 'green; however can not pass traffic.

Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: Port pool depleted
Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: isakmp_cfg_config.port_pool == NULL

Dec 05 10:35:54 172.250.xx.xx logger:  <134>1 1512498954.876248811 Warden_Norton events Site-to-site VPN: initiate new phase 1 negotiation: 172.250.xx.xx[500]<=>138.197.xx.xx[500]
Dec 05 10:35:54 172.250.xx.xx logger:  <134>1 1512498954.916584505 Warden_Norton events Site-to-site VPN: ISAKMP-SA established 172.250.xx.xx[4500]-138.197.xx.xx[4500] spi:c01173e9csd7ff643aa:c45a9c5dasdsad7e68018a

[root@dns-ca1 ~]# strongswan statusall meraki-vpn
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-693.5.2.el7.x86_64, x86_64):
  uptime: 11 days, since Nov 24 03:47:52 2017
  malloc: sbrk 1622016, mmap 0, used 502864, free 1119152
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Listening IP addresses:
  138.197.xx.xx
Connections:
  meraki-vpn:  138.197.xx.xx...172.250.xx.xx  IKEv1
  meraki-vpn:   local:  [138.197.xx.xx] uses pre-shared key authentication
  meraki-vpn:   remote: [172.250.xx.xx] uses pre-shared key authentication
  meraki-vpn:   child:  10.99.10.0/24 === 192.168.88.0/24 10.255.255.0/24 192.168.89.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
  meraki-vpn[1]: ESTABLISHED 47 seconds ago, 138.197.xx.xx[138.197.xx.xx]...172.250.xx.xx[172.250.xx.xx]
  meraki-vpn[1]: IKEv1 SPIs: c01173ejj97hff643aa_i c45a9c5d7e68jhf018a_r*, pre-shared key reauthentication in 7 hours
  meraki-vpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[root@dns-ca1 ~]#


[root@dns-ca1 ~]# cat /etc/ipsec.conf
config setup
  # strictcrlpolicy=yes
  # uniqueids = no


conn %default
  ikelifetime=28800s
  keylife=60m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret

conn meraki-vpn
  aggressive=no
  mobike=yes
  left=138.197.xx.xx
  leftsubnet=10.99.10.0/24
  leftid=138.197.xx.xx
  leftfirewall=yes
  leftsourceip=10.99.10.2
  right=172.250.xx.xx
  rightsubnet=192.168.88.0/24,10.255.255.0/24,192.168.89.0/24
  # rightsubnet=192.168.88.0/24
  rightid=172.250.xx.xx
  auto=add
  type=tunnel
  ike=3des-md5-modp1024,3des-sha1-modp1024!
  esp=3des-md5,3des-sha1
[root@dns-ca1 ~]#

[root@dns-ca1 ~]# ip -s xfrm policy
src 10.99.10.0/24 dst 192.168.88.0/24 uid 0
        dir out action allow index 65 priority 375423 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-12-05 18:50:10 use -
        tmpl src 138.197.xx.xx dst 172.250.xx.xx
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.88.0/24 dst 10.99.10.0/24 uid 0
        dir fwd action allow index 82 priority 375423 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-12-05 18:50:10 use -
        tmpl src 172.250.xx.xx dst 138.197.xx.xx
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.88.0/24 dst 10.99.10.0/24 uid 0
        dir in action allow index 72 priority 375423 ptype main share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-12-05 18:50:10 use -
        tmpl src 172.250.xx.xx dst 138.197.xx.xx
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

PhilipDAth · ‎Dec 5 2017

Have you enabled IP forwarding? Edit /etc/sysctl.conf and set:

net.ipv4.ip_forward = 1

This is an exact example of what we use when building VPNs between Meraki and Strong Swan when it is hosted in Amazon AWS.

conn %default
ikelifetime=1440m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
authby=secret
dpdaction=restart
dpddelay=30

conn customer
left=%defaultroute
leftsubnet=10.0.xx.xx/24 <amazon encryption domain>
leftid=54.xx.xx.xx <amazon public IP of VPN server>
leftfirewall=yes
right=%any
rightsubnet=192.168.xx.xx/24 <remote encryption domain>
auto=add
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024

ohv_ · ‎Dec 5 2017

I have the following in there

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

I will try your config now

ohv_ · ‎Dec 5 2017

Unfortunately I am getting the same result, this is the first time connecting a Linux box via ipsec so Im sorta reading docs to sort this one out.

ifconfig eth0:0 10.99.10.2 netmask 255.255.255.0
ip route add table 220 192.168.88.0/24 dev eth0

Ive tried adding to the route table... adding a IP address to eth0, firewall up/down/sideways etc.

PhilipDAth · ‎Dec 5 2017

You don't need to touch the route table (normally).

Is this running "on a stick", or does the Linux server have an inside and outside interface?

ohv_ · ‎Dec 5 2017

Single interface eth0, I originally just did a /30 but all the guides I was following was a /24

My goal is just to access the digitalocean box on the internal connection

ohv_ · ‎Dec 7 2017

@PhilipDAth any ideas on this one?

PhilipDAth · ‎Dec 7 2017

Are you able to ping the internal IP address on the StrongSwan box over the VPN?

ohv_ · ‎Dec 7 2017

nothing is in ifconfig or ip link

I can add the address via 'ifconfig eth0:0 10.99.10.2 netmask 255.255.255.0' still nada.

PhilipDAth · ‎Dec 7 2017

How are you SSH'ing to the box if it has no IP address?

Can the Linux box ping 8.8.8.8?

ohv_ · ‎Dec 7 2017

Sorry- Only 1 public IP address, no LAN segment.

I was referring to the ip for the internal side (left)

leftsubnet=10.99.10.0/24
leftid=138.197.xx.xx
leftfirewall=yes
leftsourceip=10.99.10.2

PhilipDAth · ‎Dec 7 2017

This might be a question for your hosting provider.

Your machine needs to be able to ping internal hosts.

ohv_ · ‎Dec 7 2017

This isnt a router, its a box/vm with services.

the goal is to connect to the machine via the VPN not on the public facing interface with a /30

PhilipDAth · ‎Dec 7 2017

You need to get to the point where the VM terminating the VPN can ping all the other VM's you want to talk to via the VPN.

ohv_ · ‎Dec 7 2017

IT is the machine. its a DNS machine.

I have it connected to a PaloAlto box (my home) cant connect and pass traffic to the MX.

Its not a router to pass traffic to a intern segment, its the box it self connecting to the VPN for local/remote access via the VPN.

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration#Linux

PhilipDAth · ‎Dec 7 2017

In that case, if the machine has a single IP address; a public IP address; then that is your encryption domain. You want all traffic from your network to and from that public IP address to be encrypted.

fmarcoux96 · ‎Feb 5 2019

Hi!

I know it's an old topic but I managed to get a VPN working from my MX to my DigitalOcean droplet but I still have one issue: I can't ping other droplets in my subnet (10.137.0.0/16), all my VM are in this subnet.

I can ping 8.8.8.8 from the VM, I can ping my VM private IP from my local PC, my VoIP phones are all working correctly has the VPN server (Strongswan) is on that VM.

Also, I enabled IP forwarding and played with a few iptables to see if I could get it to work but no.

Does anyone have an idea?

PhilipDAth · ‎Feb 5 2019

Does whatever is acting as the default gateway in Digital Ocean have a route for your office subnet via your Strongswan instance?

fmarcoux96 · ‎Feb 5 2019

Yes, I can ping any local machine (behind my home MX) from the VM. Anyone of them.

BUT, I can't ping other VMs in my subnet from my local machines.

So: MX = 192.168.1.0/24, DO = 10.137.0.0/16

From MX -> I can ping the VPN VM, but not the other VM local to it.

From DO -> I can ping any machines on the MX network.

On DigitalOcean, there's no "gateway", the public IP is bound directly to the VM and the private IP is just a 10.137.0.0/16;255.255.0.0 in my case (Toronto datacenter). All my other VMs are in the same private subnet.

PhilipDAth · ‎Feb 5 2019

In that case you will need to add a static route on each host in Digital Ocean for your home subnet pointing via the Strongswan instance.

fmarcoux96 · ‎Feb 5 2019

So how I do that?

And shouldn't I only need to create a route from the VPN VM to the private subnet FROM the strongswan interface?

PhilipDAth · ‎Feb 5 2019

What OS are your machines running in Digital Ocean?

fmarcoux96 · ‎Feb 5 2019

All running Debian 9

ohv_ · ‎Feb 5 2019

can you post your config? I never wasnt able to ping any side.

fmarcoux96 · ‎Feb 5 2019

@ohv_ wrote:
can you post your config? I never wasnt able to ping any side.

First, you need these:

Cloud VM Public IP
Cloud VM Private Subnet and Mask
Local Subnet and Mask

Note that this is not a 100% secure as I am using a dynamic IP (see rightid below)

Here's my /etc/ipsec.conf

conn %default
        ikelifetime=1440m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev1
        authby=secret
        dpdaction=restart
        dpddelay=30

conn remote-site
        left=%defaultroute
        leftsubnet=<VM Private Subnet/Mask, ex: 10.137.0.0/16>
        leftid=<VM Public IP>
        leftfirewall=yes
        right=%any
        rightsubnet=<Local Subnet/Mask, ex: 192.168.0.0/16>
        #rightid=123.123.123.123 <Static IP>
        rightid=%any # <Dynamic IP>
        auto=add
        ike=aes256-sha1-modp1024
        esp=aes256-sha1

Then, in /etc/ipsec.secrets :

%any %any : PSK "Y0ur5tr0ngP@55w0rd"

On the MX side:

Public IP : your VM public IP
Private Subnets : your VM private subnet/mask, ex: 10.137.0.0/16
Policies : Azure
Preshared Secret: Your password entered in ipsec.secrets

I didn't have to add any routes or iptables, as Strongswan does it automatically. This way, you can communicate with the VM but not with the private subnet (depends on the provider, DigitalOcean blocks it), BUT the VM can see both my local VLANs and my VoIP phones are working perfectly.

PhilipDAth · ‎Feb 5 2019

It looks like you have thee subnets, so test it first on a Digital Ocean machine with:

ip route add 192.168.88.0/24 via 10.99.10.2
ip route add 10.255.255.0/24 via 10.99.10.2
ip route add 192.168.89.0/24 via 10.99.10.2

Assuming 10.99.10.2 is your StrongSwan machine. If after doing that you can ping the machine then add it to rc.local so it happens every boot. You'll need to be root to execute the above commands.

fmarcoux96 · ‎Feb 5 2019

@PhilipDAth wrote:
It looks like you have thee subnets, so test it first on a Digital Ocean machine with:

ip route add 192.168.88.0/24 via 10.99.10.2
ip route add 10.255.255.0/24 via 10.99.10.2
ip route add 192.168.89.0/24 via 10.99.10.2

Assuming 10.99.10.2 is your StrongSwan machine. If after doing that you can ping the machine then add it to rc.local so it happens every boot. You'll need to be root to execute the above commands.

I figured out why it wouldn't work. Strongswan does the routes automatically, but DigitalOcean (my provider) doesn't allow traffic from different source IP (other than a private IP) to be forwarded to private networks. In other words, the VM is reachable, but not the network behind it.

Meraki

Community

VPN to Linux IPsec

VPN to Linux IPsec