IpSec Tunnel UP but cannot send traffic

0

I'm really really stuck with a problem with IpSec VPN between Fortigate and Debian 9.

My provider gave me the parameters to configure de Ipsec VPN from my side, and I'm running Debian 9 with StrongSwan to create the tunnel.

It looks like the VPN is UP (even my provider confirm that) but I can't send traffic through the tunnel.

PROVIDER (Fortigate)

VPN Network: 172.xx.x.0/16
Phase1:
Auth method: PSK
IKEv1
AES256
SHA-1
VPN Mode: Main Mode
Lifetime: 86400 seconds / 1440 min

Phase2:
Encapsulation: ESP
AES256
SHA-1
Lifetime 3600 seg

My side (debian 9 with strongswan):

VPN Network: 10.xxx.xxx.128/26

Same parameters for the rest.
This server has only a private class C ip address (192.168.0.107), so there is not public ip address on any interface.

This is the status of ipsec

ipsec statusall

Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64):
  uptime: 17 hours, since May 30 20:20:22 2019
  malloc: sbrk 2433024, mmap 0, used 440080, free 1992944
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown
Listening IP addresses:
  192.168.0.107
Connections:
      ipsec_vpn:  %any...{PROVIDER_PUBLIC_IP}  IKEv1, dpddelay=30s
      ipsec_vpn:   local:  [{MY_PUBLIC_IP}] uses pre-shared key authentication
      ipsec_vpn:   remote: [{PROVIDER_PUBLIC_IP}] uses pre-shared key authentication
      ipsec_vpn:   child:  10.xxx.xxx.128/26 === 172.xxx.xxx.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
      ipsec_vpn[2]: ESTABLISHED 17 hours ago, 192.168.0.107[{MY_PUBLIC_IP}]...{PROVIDER_PUBLIC_IP}[{PROVIDER_PUBLIC_IP}]
      ipsec_vpn[2]: IKEv1 SPIs: 015c09277c35862a_i f6b88c417b659596_r*, pre-shared key reauthentication in 6 hours
      ipsec_vpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      ipsec_vpn{24}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cb6a5875_i e4b3e1bf_o
      ipsec_vpn{24}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes
      ipsec_vpn{24}:   10.xxx.xxx.128/26 === 172.xxx.xxx.0/16

The ip xfrm state

ip xfrm state
src 192.168.0.107 dst {PROVIDER_PUBLIC_IP}
    proto esp spi 0xe4b3e208 reqid 1 mode tunnel
    replay-window 0 flag nopmtudisc af-unspec
    auth-trunc hmac(sha1) 0xbd02dd9589091d4294632f44d1f25a606804809e 96
    enc cbc(aes) 0x6bb518f6f211217d9224544f69e8765175379e75b562c4eeea649c6b8c5a3f4d
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src {PROVIDER_PUBLIC_IP} dst 192.168.0.107
    proto esp spi 0xc4fc4277 reqid 1 mode tunnel
    replay-window 32 flag nopmtudisc af-unspec
    auth-trunc hmac(sha1) 0x8ae132f87ee31a6b84c8c850a822037a188735ad 96
    enc cbc(aes) 0x1c9dd67a2bbea69edf7eed7bed0863540f11c1b4fa8ee6aa161cc65fb0f616a7
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 192.168.0.107 dst {PROVIDER_PUBLIC_IP}
    proto esp spi 0xe4b3e1bf reqid 1 mode tunnel
    replay-window 0 flag nopmtudisc af-unspec
    auth-trunc hmac(sha1) 0x3520769cd54a8dc5e4ef08480369f6e8324d5780 96
    enc cbc(aes) 0x2be00973b99b7a79823590034b5628257f8c2ce5a1ce2a103270fdc070ae5e52
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src {PROVIDER_PUBLIC_IP} dst 192.168.0.107
    proto esp spi 0xcb6a5875 reqid 1 mode tunnel
    replay-window 32 flag nopmtudisc af-unspec
    auth-trunc hmac(sha1) 0x0ef68a8c92de41a160d03ecee0db5d810e833ab4 96
    enc cbc(aes) 0x34dfd4c7986a51a47134fe1889936fdc25ab9913aeed338d9f5433d941471914
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

... and ip xfrm policy state

ip xfrm policy
src 172.xx.x.0/16 dst 10.XXX.XXX.128/26
    dir fwd priority 189248 ptype main
    tmpl src {PROVIDER_PUBLIC_IP} dst 192.168.0.107
        proto esp reqid 1 mode tunnel
src 172.xx.x.0/16 dst 10.XXX.XXX.128/26
    dir in priority 189248 ptype main
    tmpl src {PROVIDER_PUBLIC_IP} dst 192.168.0.107
        proto esp reqid 1 mode tunnel
src 10.XXX.XXX.128/26 dst 172.xx.x.0/16
    dir out priority 189248 ptype main
    tmpl src 192.168.0.107 dst {PROVIDER_PUBLIC_IP}
        proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main

As I read in some forums, I need an IP route table 220, but I have none:

ip route show table 220

This is my /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

And my configuration:

/etc/ipsec.conf

config setup
    charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn ipsec_vpn
  authby=psk
  left=%defaultroute
  leftid={MY_PUBLIC_IP}
  leftsubnet=10.xxx.xxx.128/26
  right={PROVIDER_PUBLIC_IP}
  rightsubnet=172.xx.xx.0/16
  ike=aes256-sha1-modp1024
  esp=aes256-sha1!
  keyexchange=ikev1
  keyingtries=0
  ikelifetime=86400s
  lifetime=3600s
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  auto=start
  installpolicy=yes

The result of route -n command:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.254   0.0.0.0         UG    0      0        0 eth0
169.254.169.254 192.168.0.254   255.255.255.255 UGH   0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

As you can see, the VPN looks UP. BUT, when I want to reach a host from the other side, Debian tries to reach them through default gateway (via internet) and not via VPN.

Any ideas?.

vpn
ipsec
asked on Stack Overflow Jun 1, 2019 by Les

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0