The ultimate goal is to be able to subscribe to multicast traffic
(239.100.100.13) being generated behind the cisco router on the server hosting
strongswan. Ideally we would like to also forward this traffic onto the network
behind strongswan however we understand that that step in AWS VPCs is not
trivial/possible without additional tunnels/configuration. Any help would be
appreciated.
We are having an issue setting up site-to-site vpn in our environment. Both the
router and the strongswan server implement NAT in some way. On the router it is
configured on the source interface for the external IP. On the strongswan
server the server sits in a Amazon VPC (it is an EC2 instance) and there is an
elastic IP attached to the instance.
Our Environment looks like this:
External IP: External IP:
+----------------+<<Cisco external IP>> <<AWS External
IP>>+------------------+
| Cisco Router | |
Centos 7 |
| ----------------------------------------------------
StrongSwan |
| |GRE Tunnel IP: GRE Tunnel IP: |
|
+--------|-------+10.100.60.13/30 10.100.60.14/30
+---------|--------+
| |
| |
| |
| |
Internal Network
Internal Network
192.168.0.0/16
192.168.1.0/24
Multicast Traffic
239.100.100.13
We are trying to setup a site-to-site vpn between a Cisco router and a centos 7
server running Strongswan 5.7.2-1.el7.
We are able to establish the ipsec tunnel, however the gre network
10.100.60.12/30 is not pingable. Further to this, while we see the multicast
traffic via a tcpdump it appears to be 'caught' in the GRE encapsulation and
does not provide data when subscribed to via a local process meant to connect
to it:
strongswan]# tcpdump -n -s 0 -i eth0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:23:59.959925 IP <<Cisco external IP>>.ipsec-nat-t >
192.168.1.154.ipsec-nat-t: UDP-encap: ESP(spi=0xcf6ee5da,seq=0x1dc399), length
132
16:23:59.959925 IP <<Cisco external IP>> > <<AWS External IP>>: GREv0, length
76: IP 192.168.3.48.48146 > 239.100.100.13.9250: UDP, length 44
16:23:59.959942 IP <<Cisco external IP>>.ipsec-nat-t >
192.168.1.154.ipsec-nat-t: UDP-encap: ESP(spi=0xcf6ee5da,seq=0x1dc39a), length
132
16:23:59.959942 IP <<Cisco external IP>> > <<AWS External IP>>: GREv0, length
76: IP 192.168.3.48.48146 > 239.100.100.13.9250: UDP, length 44
16:23:59.960201 IP <<Cisco external IP>>.ipsec-nat-t >
192.168.1.154.ipsec-nat-t: UDP-encap: ESP(spi=0xcf6ee5da,seq=0x1dc39b), length
132
16:23:59.960201 IP <<Cisco external IP>> > <<AWS External IP>>: GREv0, length
76: IP 192.168.3.48.48146 > 239.100.100.13.9250: UDP, length 44
On the cisco router the following configuration is used:
crypto isakmp policy 300
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key <<key>> address <<AWS External IP>>
!
crypto ipsec transform-set RXN-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto map outside_map 999 ipsec-isakmp
description IPSec tunnel to newStrongSwanTestAws
set peer <<AWS External IP>>
set transform-set RXN-3DES-SHA
set pfs group2
match address NEWSTRONGSWANTEST
!
interface Tunnel999
description StrongSwantest GRE tunnel
ip address 10.100.60.13 255.255.255.252
ip mtu 1400
ip nat outside
ip pim neighbor-filter MCAST-DENY-ALL
ip pim sparse-dense-mode
ip tcp adjust-mss 1360
ip igmp static-group 239.100.100.13
tunnel source <<Cisco external IP>>
tunnel destination <<AWS External IP>>
ip virtual-reassembly
!
interface GigabitEthernet0/1/1
ip address <<Cisco external IP>> 255.255.255.128
ip nat outside
negotiation auto
no cdp enable
crypto map outside_map
no ip virtual-reassembly
!
ip access-list standard MCAST-DENY-ALL
deny any
!
ip access-list extended NEWSTRONGSWANTEST
permit gre host <<Cisco external IP>> host <<AWS External IP>>
permit gre host <<AWS External IP>> host <<Cisco external IP>>
StrongSwan configs:
iptables.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="all"
conn van
type=tunnel #IPSec Type: Tunnel
authby=secret #Authentication via Shared Secret
left=%defaultroute #strongswan outside address
leftsubnet=0.0.0.0/0 #Local Subnets being Tunneled
leftid=<<AWS External IP>> #Connection PublicIP
(OtherPartyConnectionId)
right=<<Cisco external IP>> #Remote Participant PublicIP
rightsubnet=0.0.0.0/0,239.100.100.13 #Remote Subnets being Tunneled
rightid=<<Cisco external IP>> #IKEID sent by IOS
auto=start
compress = yes
ike=3des-sha1-modp1024! #IKE Phase 1 Algorithm
esp=3des-sha-modp1024!
mark=%unique
ikelifetime=86400
keyingtries=%forever #Attempts to Negotiate a Connection
#keylife=59m
#rekeymargin=3m
rekey=yes #Enable Rekeying
keyexchange=ikev1
authby=secret
dpdtimeout=10 #Dead Peer Detection Timeout
dpddelay=3 #Dead Peer Detection Delay
ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "<<key>>"
%any : PSK "<<key>>""
Strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
strongswan.d/starter.conf
starter {
# Location of the ipsec.conf file
config_file = /etc/strongswan/ipsec.conf
}
After starting strongswan status of the tunnels is as follows:
strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux
3.10.0-1062.12.1.el7.x86_64, x86_64):
uptime: 53 minutes, since Jan 21 15:45:19 2021
malloc: sbrk 1724416, mmap 0, used 603808, free 1120608
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1
random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac
hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke
vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5
eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity
counters
Listening IP addresses:
192.168.1.154
Connections:
van: %any...<<Cisco external IP>> IKEv1
van: local: [<<AWS External IP>>] uses pre-shared key authentication
van: remote: [<<Cisco external IP>>] uses pre-shared key
authentication
van: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
van[2]: ESTABLISHED 53 minutes ago, 192.168.1.154[<<AWS External
IP>>]...<<Cisco external IP>>[<<Cisco external IP>>]
van[2]: IKEv1 SPIs: 5d7341cbe0165876_i 44d5d21cf864ebb0_r*, pre-shared
key reauthentication in 22 hours
van[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
van{3}: REKEYED, TUNNEL, reqid 1, expires in 6 minutes
van{3}: <<AWS External IP>>/32[gre] === <<Cisco external IP>>/32[gre]
van{4}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbe53fd4_i
530be7ab_o
van{4}: 3DES_CBC/HMAC_SHA1_96/MODP_1024, 62413730 bytes_i, 0 bytes_o,
rekeying in 36 minutes
van{4}: <<AWS External IP>>/32[gre] === <<Cisco external IP>>/32[gre]
A gre tunnel is attempted to be created via the following command, but we are
unsure if this is correct or not:
ip tunnel add 999 mode gre local 10.100.60.14 remote 10.100.60.13 ttl 255
ip link set 999 up
ip route add 10.100.60.12/30 dev 999
It should be noted that the multicast traffic appears to flow without the
tunnel 999 interface being up on the strongswan server itself, so we are not
sure that this interface is setup correctly at all.
