2

Have several sites, one of them acts as intermediary router between two:

  1. AWS VPC (10.10.0.0/24)
  2. Libreswan VPN Server (10.20.0.0/24)
  3. Mikrotik VPN Router (10.30.0.0/24)

host1 resides at AWS VPC, host2 is connected to Mikrotik

VPN's are up, each connection is working separately, statuses look fine.

host2 pings host1, packets arrive through libreswan to host1, host1 replies, all packets arrive at libreswan, but are not passed to host2. Also, packets initiated from host2 are able to reach libreswan, but are not passed to host1. I suppose, that all is stateless for ipsec and is the same problem.

iptables nat (manual config):

-A POSTROUTING -j ACCEPT -d 10.10.0.0/24
-A POSTROUTING -j ACCEPT -d 10.20.0.0/24

iptables filter (manual config):

-A FORWARD -j ACCEPT

routing table @ libreswan (ip route, added by libreswan):

10.10.0.0/24 dev eth0 scope link mtu 1436
10.20.0.0/24 dev eth0 scope link mtu 1436

Similar connections with many combinations to other sites works fine in any way - difference is in AWS-Libreswan VPN connection.

Is there something i am missing? Where should i look?

GioMac
  • 4,444
  • 3
  • 24
  • 41
  • (aand getting practically the same with strongswan, CentOS 8) – GioMac Jun 13 '21 at 18:50
  • AWS has a pretty extensive firewall system, perhaps the problem lies in routing the GRE packets through. It's protocol 47 not port 47, can you provide info on the firewall setup on that AWS instance ? Also is it some kind of floating IP or just the public one. – bocian85 Jun 15 '21 at 09:17
  • @bocian85 there is no aws instance, it has nothing to do with firewalls – GioMac Jun 16 '21 at 10:20
  • AWS VPC without instances ? ok I see, if you can please provide some kind of graph to better describe this infrastructure, you refer to host1 host2 and site1 site2 site3, I am just guessing that host1 is in site1 or anything. Elaborate more please. But from what I see here the problem is most likely either with asymetric routing or with firewall somewhere. – bocian85 Jun 16 '21 at 11:30
  • it's not asymmetric routing. there is no firewall anywhere. it's not an issue in generic routing. it's libreswan host-specific issue and there firewall might act as translator or something... – GioMac Jun 17 '21 at 12:21

0 Answers0