Hi all,
I have a ubuntu server that runs strongswan in this topology:
SiteA <-> Strongswan box <-> SiteB
10.0.0.0/24 <-> Strongswan-on-public-cloud <-> 10.10.30.0/24
I use the strongswan public cloud as a default gateway for siteB, but siteA only encrypts traffic to siteB.
Enc domains are as follows:
SiteA
10.0.0.0/24 <-> 10.10.30.0/24
SiteB
10.10.30.10/24 <-> 0/0
Traffic from SiteA to siteB works fine, but I can not connect SiteB to siteA.
jumbo@strongswan:/etc$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-97-generic, x86_64):
uptime: 12 days, since Oct 13 09:00:34 2017
malloc: sbrk 3244032, mmap 532480, used 1050336, free 2193696
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
strongswan-public-ip
Connections:
SiteB: strongswan-public-ip...SiteB-public-ip IKEv1
SiteB: local: [strongswan-public-ip] uses pre-shared key authentication
SiteB: remote: [SiteB-public-ip] uses pre-shared key authentication
SiteB: child: 0.0.0.0/0 === 10.10.30.0/24 TUNNEL
SiteA: strongswan-public-ip...%any IKEv1
SiteA: local: [strongswan-public-ip] uses pre-shared key authentication
SiteA: remote: uses pre-shared key authentication
SiteA: child: 10.10.30.0/24 === 10.0.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
SiteB[663]: ESTABLISHED 34 minutes ago, strongswan-public-ip[strongswan-public-ip]...SiteB-public-ip[SiteB-public-ip]
SiteB[663]: IKEv1 SPIs: 011dca5e09a1e991_i a93dd721b5b0c3f4_r*, pre-shared key reauthentication in 20 minutes
SiteB[663]: IKE proposal: AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
SiteB{1293}: INSTALLED, TUNNEL, reqid 324, ESP SPIs: c001209d_i a04abb5a_o
SiteB{1293}: AES_CBC_256/HMAC_SHA1_96, 1495325 bytes_i (17984 pkts, 0s ago), 41766448 bytes_o (30960 pkts, 2s ago), rekeying in 9 minutes
SiteB{1293}: 0.0.0.0/0 === 10.10.30.0/24
Routing:
jumbo@strongswan:/etc$ sudo ip route list table 220
10.10.30.0/24 via <strongswan-gateway-ip> dev ens160 proto static
So the routing table seems to confirm my problem.
This is the ipsec.conf:
conn SiteB
auto=add
left=Strongswan-public-ip
leftsubnet=0.0.0.0/0
right=SiteB-public-ip
rightsubnet=10.10.30.0/24
ike=aes192-sha1;modp1024
esp=aes256-sha1
conn SiteA
auto=add
left=Strongswan-public-ip
leftsubnet=10.10.30.0/24
right=
rightsubnet=10.0.0.0/24
ike=aes192-sha1;modp1024
esp=aes256-sha1
I have public dns at siteA, hence the <any> tag on SiteA public ip. Of course, the vpn needs to be initialized from SiteA -> strongswan, I use a simple ping script for this.
The vpn from siteB to strongswan works, I can access internet via this site, but strongswan will not forward traffic into the vpn to siteA.
SiteA and siteB runs cisco ASAs.
Is it possible to fix this?
