We have a requirement to connect 2 sites with IPsec VPN and the instances (Test instances here) need to be addressed by their public IP addresses (thru VPN).
Test Ohio ============
Public: 3.134.112.49
Local: 172.31.40.148
The tunnel is up but traffic is not going thru. Any help will be much appreciated.
If I run a curl from Virginia Test instance I get this:
virginia-test ~]$ curl 3.134.112.49 -vvv * Rebuilt URL to: 3.134.112.49/ * Trying 3.134.112.49... * TCP_NODELAY set * connect to 3.134.112.49 port 80 failed: Connection timed out * Failed to connect to 3.134.112.49 port 80: Connection timed out * Closing connection 0 curl: (7) Failed to connect to 3.134.112.49 port 80: Connection timed out TCPDUMP on the Virginia VPN shows it's sending the SYN but never received the SYN-ACK from the peer. Here is the output (notice the SNAT is working):
vpn-virginia ~]$ sudo tcpdump dst 3.134.112.49 -vvv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 18:27:03.651626 IP (tos 0x0, ttl 255, id 38717, offset 0, flags [DF], proto TCP (6), length 60) ip-172-31-72-19.ec2.internal.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x421c (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357116084 ecr 0,nop,wscale 7], length 0 18:27:03.651663 IP (tos 0x0, ttl 254, id 38717, offset 0, flags [DF], proto TCP (6), length 60) ec2-34-229-184-231.compute-1.amazonaws.com.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x5a82 (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357116084 ecr 0,nop,wscale 7], length 0 18:27:04.655967 IP (tos 0x0, ttl 255, id 38718, offset 0, flags [DF], proto TCP (6), length 60) ip-172-31-72-19.ec2.internal.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x3e2f (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357117089 ecr 0,nop,wscale 7], length 0 18:27:04.655997 IP (tos 0x0, ttl 254, id 38718, offset 0, flags [DF], proto TCP (6), length 60) ec2-34-229-184-231.compute-1.amazonaws.com.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x5695 (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357117089 ecr 0,nop,wscale 7], length 0 18:27:06.671970 IP (tos 0x0, ttl 255, id 38719, offset 0, flags [DF], proto TCP (6), length 60) ip-172-31-72-19.ec2.internal.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x364f (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357119105 ecr 0,nop,wscale 7], length 0 18:27:06.672000 IP (tos 0x0, ttl 254, id 38719, offset 0, flags [DF], proto TCP (6), length 60) ec2-34-229-184-231.compute-1.amazonaws.com.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x4eb5 (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357119105 ecr 0,nop,wscale 7], length 0 18:27:10.832008 IP (tos 0x0, ttl 255, id 38720, offset 0, flags [DF], proto TCP (6), length 60) ip-172-31-72-19.ec2.internal.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x260f (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357123265 ecr 0,nop,wscale 7], length 0 18:27:10.832039 IP (tos 0x0, ttl 254, id 38720, offset 0, flags [DF], proto TCP (6), length 60) ec2-34-229-184-231.compute-1.amazonaws.com.34090 > ec2-3-134-112-49.us-east-2.compute.amazonaws.com.http: Flags [S], cksum 0x3e75 (correct), seq 4182331314, win 26883, options [mss 8961,sackOK,TS val 2357123265 ecr 0,nop,wscale 7], length 0 Here is the configuration:
Both VPN instances have Source/Destination Check Disabled.
Routing was changed on the subnet for the traffic to Test instances thru VPN instances.
Virginia VPN conf:
Virginia VPN conf: config setup # strictcrlpolicy=yes # uniqueids = no conn reunite-rx-vpn type=tunnel authby=secret forceencaps=yes leftid=54.152.133.122 leftnexthop=%defaultroute leftsubnets={172.31.0.0/16, 34.229.184.231/32} leftauth=psk right=18.223.21.162 rightid=18.223.21.162 rightsubnets={3.134.112.49/32} rightauth=psk auto=start installpolicy=yes Ohio VPN conf:
Ohio VPN conf: config setup # strictcrlpolicy=yes # uniqueids = no conn reunite-rx-vpn type=tunnel authby=secret forceencaps=yes leftid=18.223.21.162 leftnexthop=%defaultroute leftsubnets={172.31.0.0/16, 3.134.112.49/32} leftauth=psk right=54.152.133.122 rightid=54.152.133.122 rightsubnets={34.229.184.231/32} rightauth=psk auto=start installpolicy=yes leftsourceip=3.134.112.49 rightsourceip=34.229.184.231 Forwarding was enabled:
$ sudo cat /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 IPTABLES:
VPN Virginia:
VPN Virginia $ sudo iptables-save # Generated by iptables-save v1.8.2 on Sun Jul 19 18:21:39 2020 *nat :PREROUTING ACCEPT [192:10204] :INPUT ACCEPT [24:1221] :OUTPUT ACCEPT [248:18959] :POSTROUTING ACCEPT [248:18959] -A PREROUTING -s 3.134.112.49/32 -d 34.229.184.231/32 -j DNAT --to-destination 172.31.72.19 -A POSTROUTING -s 172.31.0.0/16 -d 3.134.112.49/32 -j SNAT --to-source 34.229.184.231 COMMIT # Completed on Sun Jul 19 18:21:39 2020 # Generated by iptables-save v1.8.2 on Sun Jul 19 18:21:39 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j ACCEPT COMMIT # Completed on Sun Jul 19 18:21:39 2020 VPN Ohio:
VPN Ohio $ sudo iptables-save # Generated by iptables-save v1.8.2 on Sun Jul 19 18:21:01 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j ACCEPT COMMIT # Completed on Sun Jul 19 18:21:01 2020 # Generated by iptables-save v1.8.2 on Sun Jul 19 18:21:01 2020 *nat :PREROUTING ACCEPT [251:11781] :INPUT ACCEPT [27:1485] :OUTPUT ACCEPT [245:18706] :POSTROUTING ACCEPT [245:18706] -A PREROUTING -s 34.229.184.231/32 -d 3.134.112.49/32 -j DNAT --to-destination 172.31.40.148 -A POSTROUTING -s 172.31.0.0/16 -d 34.229.184.231/32 -j SNAT --to-source 3.134.112.49 COMMIT # Completed on Sun Jul 19 18:21:01 2020 XFRM policy:
VPN Virginia:
vpn-virginia ~]$ sudo ip xfrm policy src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main VPN Ohio:
vpn-ohio ~]$ sudo ip xfrm policy src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main 
No comments:
Post a Comment