08-12-2024 10:32 PM
Hi All:
I have a strange issue in my office.
My strongswan VPN client on my laptop works fine to connect to a customer's site from home or from hotels but in my office it does not. Its comes up and says its connected but I cannot ping any hosts at the destination.
Here is the strange part. My Windows10 VPN running in a VM inside my laptop has no issues connecting and working using L2TP over IPSec to the same destination host that my native linux strongswan does not.
Here is the 1921 setup:
interface GigabitEthernet0/0
description Singtel Broadband WAN FiberLink
ip address A.B.C.D 255.255.255.252
ip access-group FilteredList in
no ip redirects
no ip unreachables
ip nat outside
no ip virtual-reassembly in
rate-limit input access-group 101 8000 4400 4496 conform-action transmit exceed-action drop
duplex full
speed 100
crypto map tnsgmap
interface GigabitEthernet0/1
description SG Infra System LAN
ip address 192.168.111.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
no ip virtual-reassembly in
duplex auto
speed auto
ip nat inside source route-map NoNAT interface GigabitEthernet0/0 overload
ip access-list extended FilteredList
remark Allow DNS traffic
permit udp host 165.21.83.88 host A.B.C.D
permit udp host 165.21.100.88 host A.B.C.D
remark Allow initiated TCP traffic
permit tcp any any gt 1023 established
remark Allow initiated UDP traffic
permit udp any any gt 1023
remark Allow IPSec initial probes
permit udp any any eq isakmp
remark Allow IPSec NAT-T
permit udp any any eq non500-isakmp
remark Allow IPsec AHP
permit ahp any any
remark Allow IPSec ESP
permit esp any any
remark Allow ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any
remark Allow SSH traffic to the Cisco
permit tcp any any eq 2222
remark Allow TCP port 80 traffic
permit tcp any any eq www
remark Allow TCP port 443 traffic
permit tcp any any eq 443
remark Allow TCP 2101, NTRIP traffic
permit tcp any any eq 2101
remark disallow special-use address sources
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
remark Filter RFC 1918 space
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any any
ip access-list extended NATexempts
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
!
!
route-map NoNAT permit 100
match ip address NATexempts
The strongswan client comes up and says its connected:
jserinki7 /home/jserink/Desktop/Systems/India/SOI-UKUP # ipsec status
Routed Connections:
SOIUKUPV2{3}: ROUTED, TUNNEL, reqid 2
SOIUKUPV2{3}: 2.2.22.22/32[gre] === 1.1.1.10/32[gre]
Security Associations (1 up, 0 connecting):
SOIUKUPV2[1]: ESTABLISHED 20 minutes ago, 192.168.111.199[jserink]...103.205.244.106[CCrouter]
SOIUKUPV2{10}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cebcfc9f_i c8ac5ebc_o
SOIUKUPV2{10}: 2.2.22.22/32[gre] === 1.1.1.10/32[gre]
You can see the connection definition SOIUKUPV2 is established....but no pings.
And on the destination Cisco ISR4431 it also shows connected:
CCrouter#sh crypto sess br | grep jserink
119.75.44.126 Gi0/0/0 jserink 00:24:41 UA
CCrouter#sho crypto sess remote 119.75.44.126
Crypto session current status
Interface: GigabitEthernet0/0/0
Profile: SOIprofile
Session status: UP-ACTIVE
Peer: 119.75.44.126 port 4500
Session ID: 5297758
IKEv2 SA: local 103.205.244.106/4500 remote 119.75.44.126/4500 Active
IPSEC FLOW: permit 47 host 1.1.1.10 host 2.2.22.22
Active SAs: 2, origin: dynamic crypto map
So, the Cisco 4431 says its up, strongswan says it up but no pings.
Here is the GRE tunnel:
CCrouter#sh int tun1000
Tunnel1000 is up, line protocol is up
Hardware is Tunnel
Description: remote admin tunnel
Internet address is 192.168.102.222/30
interface Tunnel1000
description remote admin tunnel
ip address 192.168.102.222 255.255.255.252
no ip redirects
no ip unreachables
ip tcp adjust-mss 1200
tunnel source 1.1.1.10
tunnel destination 2.2.22.22
end
Of course it says its up because I have not enabled keepalives. If I did it would come up as down.
I cannot ping the opposite side the of the GRE from either side.
This works perfectly from home.
But I can connect from my windows VM using L2TP over IPSec and it works.
I have been scratching my head over this for 2 years and would like to figure this out.
Cheers,
john
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide