Hi team ,
Any good pointers on TS IPSec VPN tunnels ?
I seem to have no visible issues at the NSX end of the tunnel by the looks of it; <peering with an OpenSwan instance at AWS>
edg-perimeter-0> show service ipsec site
Site: 62.213.196.68_10.10.0.0/16-52.18.144.144_10.0.0.0/24
| ISAKMP SA #1, peerip 52.18.144.144<52.18.144.144>, STATE_MAIN_I4, UP
| ike_life: 28800s; ipsec_life: 3600s;
| rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
| dpd: action:restart; delay:30; timeout:120;
| IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
| securelocaltrafficbyip: 10.10.30.1
| ike_expire: 27002s
+->Tunnel 1x1: 192.168.0.0/24 <-> 10.0.0.0/24, UP
| IPSec SA #5, STATE_QUICK_I2; IKE #1; eOwner #5
| Out spi: 0xc32776dd, in spi: 0xf0d2ccda
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 1x2: 192.168.0.0/24 <-> 10.0.1.0/24, UP
| IPSec SA #6, STATE_QUICK_I2; IKE #1; eOwner #6
| Out spi: 0xd14fe284, in spi: 0x36a85e69
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 1x3: 192.168.0.0/24 <-> 10.0.2.0/24, UP
| IPSec SA #7, STATE_QUICK_I2; IKE #1; eOwner #7
| Out spi: 0x9c0ad833, in spi: 0x8310c82b
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 2x1: 10.10.0.0/16 <-> 10.0.0.0/24, UP
| IPSec SA #8, STATE_QUICK_I2; IKE #1; eOwner #8
| Out spi: 0x2088d83b, in spi: 0x4b09b81b
byte 1186
Site: 62.213.196.68_10.10.0.0/16-52.18.144.144_10.0.0.0/24
| ISAKMP SA #1, peerip 52.18.144.144<52.18.144.144>, STATE_MAIN_I4, UP
| ike_life: 28800s; ipsec_life: 3600s;
| rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
| dpd: action:restart; delay:30; timeout:120;
| IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
| securelocaltrafficbyip: 10.10.30.1
| ike_expire: 27002s
+->Tunnel 1x1: 192.168.0.0/24 <-> 10.0.0.0/24, UP
| IPSec SA #5, STATE_QUICK_I2; IKE #1; eOwner #5
| Out spi: 0xc32776dd, in spi: 0xf0d2ccda
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 1x2: 192.168.0.0/24 <-> 10.0.1.0/24, UP
| IPSec SA #6, STATE_QUICK_I2; IKE #1; eOwner #6
| Out spi: 0xd14fe284, in spi: 0x36a85e69
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 1x3: 192.168.0.0/24 <-> 10.0.2.0/24, UP
| IPSec SA #7, STATE_QUICK_I2; IKE #1; eOwner #7
| Out spi: 0x9c0ad833, in spi: 0x8310c82b
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 2x1: 10.10.0.0/16 <-> 10.0.0.0/24, UP
| IPSec SA #8, STATE_QUICK_I2; IKE #1; eOwner #8
| Out spi: 0x2088d83b, in spi: 0x4b09b81b
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 2x2: 10.10.0.0/16 <-> 10.0.1.0/24, UP
| IPSec SA #9, STATE_QUICK_I2; IKE #1; eOwner #9
| Out spi: 0xbab73316, in spi: 0xe13521c6
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
+->Tunnel 2x3: 10.10.0.0/16 <-> 10.0.2.0/24, UP
| IPSec SA #10, STATE_QUICK_I2; IKE #1; eOwner #10
| Out spi: 0x8c395c08, in spi: 0x6dd9f43e
| ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536
- Yet I am unable to ping any of the remote end-points -
I understand that this Edge will know where to forward packets to destined to 10.0.0.0/24 , 10.0.1.0/24 and 10.0.2.0/24 and i will have to engage in some OpenSwan TS at the far end to validate that part of the equation. Nonetheless, it would be good to actually validate at the ESG level that we "capture" all interesting traffic to be forwarded to the peer.
I do understand that downstream routing instances (say DLR's or downstream ESG's) will need to be told explicitly that the N.H for 0.0.0.0/24 , 10.0.1.0/24 and 10.0.2.0/24 is at the top-level ESG where we run IPSec tunnels.
Kind regards and thanks in advance -
Rik
Some additional details , nothing visibly wrong here...to my knowledge at least (note that I ping 10.0.0.6 from subnet 10.10.13.219)
edg-perimeter-0> show config ipsec
-----------------------------------------------------------------------
vShield Edge IPsec VPN Config:
{
"ipsec" : {
"sites" : [
{
"certificate" : null,
"encryptionAlgorithm" : "aes",
"enabled" : true,
"mtu" : null,
"psk" : "****",
"extension" : null,
"peerSubnets" : [
"10.0.0.0/24",
"10.0.1.0/24",
"10.0.2.0/24"
],
"peerIp" : "52.18.144.144",
"name" : "aws",
"description" : null,
"localSubnets" : [
"192.168.0.0/24",
"10.10.0.0/16"
],
"dhGroup" : "dh5",
"peerId" : "52.18.144.144",
"enablePfs" : true,
"localIp" : "62.213.196.68",
"authenticationMode" : "psk",
"localId" : "62.213.196.68"
}
],
"enable" : true,
"logging" : {
"enable" : false,
"logLevel" : "info"
},
"global" : {
"extension" : null,
"crlCertificates" : [],
"serviceCertificate" : "certificate-58",
"pskForDynamicIp" : null,
"id" : null,
"caCertificates" : []
},
"disableEvent" : false
byte 1298
],
"dhGroup" : "dh5",
"peerId" : "52.18.144.144",
"enablePfs" : true,
"localIp" : "62.213.196.68",
"authenticationMode" : "psk",
"localId" : "62.213.196.68"
}
],
"enable" : true,
"logging" : {
"enable" : false,
"logLevel" : "info"
},
"global" : {
"extension" : null,
"crlCertificates" : [],
"serviceCertificate" : "certificate-58",
"pskForDynamicIp" : null,
"id" : null,
"caCertificates" : []
},
"disableEvent" : false
}
}
~
~
~
~
~
edg-perimeter-0> show service ipsec sp
src 192.168.0.0/24[any] ---> dst 10.0.2.0/24[any] 255
out prio high + 1073739480 ipsec
esp/tunnel/62.213.196.68-52.18.144.144/unique#16393
created: Jun 6 17:31:57 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=769 seq=1 pid=22126
refcnt=1
src 10.10.0.0/16[any] ---> dst 10.0.0.0/24[any] 255
out prio high + 1073739224 ipsec
esp/tunnel/62.213.196.68-52.18.144.144/unique#16397
created: Jun 6 17:30:29 2016 lastused: Jun 6 17:52:31 2016
lifetime: 0(s) validtime: 0(s)
spid=777 seq=2 pid=22126
refcnt=2
src 10.10.0.0/16[any] ---> dst 10.0.2.0/24[any] 255
out prio high + 1073739224 ipsec
esp/tunnel/62.213.196.68-52.18.144.144/unique#16405
created: Jun 6 17:29:54 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=793 seq=3 pid=22126
refcnt=1
src 10.10.0.0/16[any] ---> dst 10.0.1.0/24[any] 255
out prio high + 1073739224 ipsec
esp/tunnel/62.213.196.68-52.18.144.144/unique#16401
created: Jun 6 17:28:56 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=785 seq=4 pid=22126
refcnt=1
src 192.168.0.0/24[any] ---> dst 10.0.1.0/24[any] 255
out prio high + 1073739480 ipsec
esp/tunnel/62.213.196.68-52.18.144.144/unique#16389
created: Jun 6 17:27:09 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=761 seq=5 pid=22126
refcnt=1
src 192.168.0.0/24[any] ---> dst 10.0.0.0/24[any] 255
out prio high + 1073739480 ipsec
esp/tunnel/62.213.196.68-52.18.144.144/unique#16385
created: Jun 6 17:26:48 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=753 seq=6 pid=22126
refcnt=1
src 10.0.2.0/24[any] ---> dst 192.168.0.0/24[any] 255
fwd prio high + 1073739480 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16393
created: Jun 6 16:41:33 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=890 seq=7 pid=22126
refcnt=1
src 10.0.2.0/24[any] ---> dst 192.168.0.0/24[any] 255
in prio high + 1073739480 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16393
created: Jun 6 16:41:33 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=880 seq=8 pid=22126
refcnt=1
src 10.0.0.0/24[any] ---> dst 10.10.0.0/16[any] 255
fwd prio high + 1073739224 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16397
created: Jun 6 16:41:13 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=874 seq=9 pid=22126
refcnt=1
src 10.0.0.0/24[any] ---> dst 10.10.0.0/16[any] 255
in prio high + 1073739224 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16397
created: Jun 6 16:41:13 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=864 seq=10 pid=22126
refcnt=1
src 10.0.1.0/24[any] ---> dst 10.10.0.0/16[any] 255
fwd prio high + 1073739224 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16401
created: Jun 6 16:41:13 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=858 seq=11 pid=22126
refcnt=1
src 10.0.1.0/24[any] ---> dst 10.10.0.0/16[any] 255
in prio high + 1073739224 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16401
created: Jun 6 16:41:13 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=848 seq=12 pid=22126
refcnt=1
src 10.0.2.0/24[any] ---> dst 10.10.0.0/16[any] 255
fwd prio high + 1073739224 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16405
created: Jun 6 16:41:04 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=842 seq=13 pid=22126
refcnt=1
src 10.0.2.0/24[any] ---> dst 10.10.0.0/16[any] 255
in prio high + 1073739224 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16405
created: Jun 6 16:41:04 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=832 seq=14 pid=22126
refcnt=1
src 10.0.1.0/24[any] ---> dst 192.168.0.0/24[any] 255
fwd prio high + 1073739480 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16389
created: Jun 6 16:41:04 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=826 seq=15 pid=22126
refcnt=1
src 10.0.1.0/24[any] ---> dst 192.168.0.0/24[any] 255
in prio high + 1073739480 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16389
created: Jun 6 16:41:04 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=816 seq=16 pid=22126
refcnt=1
src 10.0.0.0/24[any] ---> dst 192.168.0.0/24[any] 255
fwd prio high + 1073739480 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16385
created: Jun 6 16:41:03 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=810 seq=17 pid=22126
refcnt=1
src 10.0.0.0/24[any] ---> dst 192.168.0.0/24[any] 255
in prio high + 1073739480 ipsec
esp/tunnel/52.18.144.144-62.213.196.68/unique#16385
created: Jun 6 16:41:03 2016 lastused:
lifetime: 0(s) validtime: 0(s)
spid=800 seq=18 pid=22126
refcnt=1
edg-perimeter-0>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
src 10.10.0.0/16[any] ---> dst 10.0.0.0/24[any] 255
out prio high + 1073739224 ipsec
esp/tunnel/62.213.196.68-52.18.144.144/unique#16397
created: Jun 6 17:30:29 2016 lastused: Jun 6 17:56:31 2016
lifetime: 0(s) validtime: 0(s)
spid=777 seq=2 pid=23134
refcnt=2
it looks like your tunnel is up via phase 1 and phase 2. have you verified your firewall rules are permitting this ingress/egress traffic on both ends?
Thx for the suggestion, yes the FW rules at our end and the SecGroup at the AWS side were both fine - it turned out that someone spoiled the OpenSwan config at the far end. Guess next time I need to verify the actual log files.
thx
/r