site-to-site with MX67 and strongswan

chris-cco-az
Comes here often

site-to-site with MX67 and strongswan

hello,

I have a site-to-site tunnel with ikev1 configured (I think) between an mx and strongswan.  however I can't pass traffic between the two.

goal at the end of this is to have a particular vlan 10.240.82.0/24 send all its traffic out the vpn.

its shows connected (from what I can tell).

 

any help would be most appreciated.

root@ams-ubuntu-vpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-65-generic, x86_64):
  uptime: 11 minutes, since Feb 07 03:53:41 2021
  malloc: sbrk 1757184, mmap 0, used 907424, free 849760
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs
dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  public-ip-of-strongswan
  10.18.0.5
  10.110.0.2
Connections:
   vpn-to-mx:  %any...public-ip-of-mx  IKEv1, dpddelay=30s
   vpn-to-mx:   local:  [public-ip-of-strongswan] uses pre-shared key authentication
   vpn-to-mx:   remote: [public-ip-of-mx] uses pre-shared key authentication
   vpn-to-mx:   child:  0.0.0.0/0 === 10.240.82.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
   vpn-to-mx[3]: ESTABLISHED 6 minutes ago, public-ip-of-strongswan[public-ip-of-strongswan]...public-ip-of-mx[public-ip-of-mx]
   vpn-to-mx[3]: IKEv1 SPIs: adfd527d8a576bba_i 237d2ccf09786ad0_r*, pre-shared key reauthentication in 42 minutes
   vpn-to-mx[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
   vpn-to-mx{3}:  REKEYED, TUNNEL, reqid 2, expires in 7 hours
   vpn-to-mx{3}:   0.0.0.0/0 === 10.240.82.0/24
   vpn-to-mx{4}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cc01d4d8_i c8fc19e5_o
   vpn-to-mx{4}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 26292 bytes_o (313 pkts, 3s ago), rekeying in 7 hours
   vpn-to-mx{4}:   0.0.0.0/0 === 10.240.82.0/24

 

root@ams-ubuntu-vpn:~# cat /etc/ipsec.conf
config setup
 strictcrlpolicy=no
 uniqueids = yes
 charondebug = "all"
# VPN to MX
conn vpn-to-mx
 authby=secret
 left=%defaultroute
 leftid=public-ip-strongswan
 leftsubnet=0.0.0.0/0
 leftfirewall=yes
 right=public-ip-of-mx
 rightid=public-ip-of-mx
 rightsubnet=10.240.82.0/24
 ike=aes256-sha1-modp1536
 esp=aes256-sha1
 keyingtries=%forever
 leftauth=psk
 rightauth=psk
 keyexchange=ikev1
 ikelifetime=1h
 lifetime=8h
 dpddelay=30
 dpdtimeout=120
 dpdaction=restart
 auto=start

 merak-vpn-2.pngmerak-vpn-config.png

2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal

First I would correct the lifetimes on your strongswan box to match the values on the MX (although this is typically no problem):

 

 

 ikelifetime=8h
 lifetime=1h

 

 

It seems to establish the tunnel and I would expect the routing to be the problem. I never used a "tunnel all" with the MX, but at least it is documented to be supported. But to make sure that the VPN itself is ok, I would first configure the left side to only use a particular local subnet. The counters show that the MX is not sending traffic to the tunnel:

0 bytes_i, 26292 bytes_o

If that works we can troubleshoot further. And also make sure that the outbound VPN firewall permits the traffic.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
chris-cco-az
Comes here often

hmm so I changed it to just a single subnet and still nothing.  verified the ipsec outbound firewall is the default of allow.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels