I have a server (Debian 10) behind a NAT router. In this server are running multiple VMs. I want to establish an IPSec connection to a server on the Internet. Here are my ipsec.conf files on both sides:
On local server:
config setup
charondebug = "all"
uniqueids = yes
nat_traversal = yes
conn local-to-server
type = tunnel
auto = start
keyexchange = ikev2
authby = secret
left = 192.168.1.50
leftsubnet = 192.168.1.0/24
right = $server-internet-ip
rightsubnet = 172.17.41.0/24
rightsourceip = 172.17.41.0/24
aggressive = no
On Internet server:
config setup
charondebug="all"
uniqueids = yes
conn server-to-local
type = tunnel
auto = start
authby = secret
left = $server-internet-ip
leftsubnet = 172.17.41.0/24
leftsourceip = 192.168.1.50
leftsubnet = 192.168.1.0/24
aggressive = no
When I run command ipsec status, it replies on both sides Security Associations (1 ip, 0 connecting): server-to-local[2]: ESTABLISHED....
However, when I want to ping or telnet local IP address 192.168.1.50 from my Internet server, I got nothing.
Running ip a does not show an additional network interface related to IPSec up. Same for routes, no routes are being created when IPSec goes UP.
What have I missed to allow connection from Internet server to internal enterprise VMs ? The NAT box is forwarding UDP 500 and 4500 from its own Internet IP address to the private IP address of the internal server.
Many thanks for helping!
EDIT
ip xfrm state does not output anything
EDIT2
Output of ipsec statusall on local:
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-8-amd64, x86_64):
uptime: 2 seconds, since Mar 19 14:23:56 2020
malloc: sbrk 1757184, mmap 0, used 557984, free 1199200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Virtual IP pools (size/online/offline):
172.17.41.0/24: 254/0/0
Listening IP addresses:
192.168.1.50
Connections:
local-to-server: 192.168.1.50...$server-internet-ip IKEv2, dpddelay=30s
local-to-server: local: [192.168.1.50] uses pre-shared key authentication
local-to-server: remote: [$server-internet-ip] uses pre-shared key authentication
local-to-server: child: 192.168.1.0/24 === 172.17.41.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
local-to-server[1]: ESTABLISHED 2 seconds ago, 192.168.1.50[192.168.1.50]...$server-internet-ip[$server-internet-ip]
local-to-server[1]: IKEv2 SPIs: 68eab917fe1855aa_i* 87d5f2cd06b353de_r, pre-shared key reauthentication in 2 hours
local-to-server[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Output of ipsec statusall on internet server:
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.185-xxxx-std-ipv6-64, x86_64):
uptime: 12 seconds, since Mar 19 14:23:53 2020
malloc: sbrk 2478080, mmap 0, used 278288, free 2199792
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
$server-internet-ip
172.17.23.1
Connections:
server-to-local: $server-internet-ip...%any IKEv2, dpddelay=30s
server-to-local: local: [$server-internet-ip] uses pre-shared key authentication
server-to-local: remote: uses pre-shared key authentication
server-to-local: child: 192.168.1.0/24 === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
server-to-local[2]: ESTABLISHED 9 seconds ago, $server-internet-ip[$server-internet-ip]...$box-internet-ip[192.168.1.50]
server-to-local[2]: IKEv2 SPIs: 68eab917fe1855aa_i 87d5f2cd06b353de_r*, pre-shared key reauthentication in 2 hours
server-to-local[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Here are the logs on Internet server side:
09[IKE] maximum IKE_SA lifetime 10783s
09[IKE] traffic selectors 172.17.41.0/24 === 192.168.1.0/24 inacceptable
09[IKE] failed to establish CHILD_SA, keeping IKE_SA
09[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
09[NET] sending packet: from $server-internet-ip[4500] to $box-internet-ip[4500] (160 bytes)
11[IKE] sending DPD request
11[ENC] generating INFORMATIONAL request 0 [ ]
11[NET] sending packet: from $server-internet-ip[4500] to $box-internet-ip[4500] (80 bytes)
12[NET] received packet: from $box-internet-ip[4500] to $server-internet-ip[4500] (80 bytes)
12[ENC] parsed INFORMATIONAL response 0 [ ]
Here are the logs on local server side:
13[IKE] sending keep alive to $server-internet-ip[4500]
15[IKE] sending DPD request
15[ENC] generating INFORMATIONAL request 8 [ N(NATD_S_IP) N(NATD_D_IP) ]
15[NET] sending packet: from 192.168.1.50[4500] to $server-internet-ip[4500] (128 bytes)
14[NET] received packet: from $server-internet-ip[4500] to 192.168.1.50[4500] (80 bytes)
14[ENC] parsed INFORMATIONAL request 8 [ ]
14[ENC] generating INFORMATIONAL response 8 [ ]
14[NET] sending packet: from 192.168.1.50[4500] to $server-internet-ip[4500] (80 bytes)
16[NET] received packet: from $server-internet-ip[4500] to 192.168.1.50[4500] (128 bytes)
16[ENC] parsed INFORMATIONAL response 8 [ N(NATD_S_IP) N(NATD_D_IP) ]
