IPSEC tunnel on AWS traffic goes only in one direction

[Crivera2809]

Hello, please I need help, I have set up an IPSEC tunnel between 2 Amazon AWS accounts with Libreswan 4.12. Tunnel is up and running, but network traffic inside the tunnel goes only from one end to the other, but no return traffic is observed when pinging the local private ip of each end.

When I try to ping from the private ip of the EC2 instance in account A, to the private ip of the EC2 instance in account B on AWS, I see ICMP requests coming through to the other end, but I don't see a response.

Tunnel established between AWS accounts.

000 Connection list:
000
000 "lab_vpn": 172.31.80.0/20===172.31.84.135[@54.92.x.x]---172.31.80.1...44.205.x.x[@44.205.x.x]===10.0.7.0/24; erouted; eroute owner: #4
000 "lab_vpn":     oriented; my_ip=172.31.80.1; their_ip=unset; my_updown=ipsec _updown;
000 "lab_vpn":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "lab_vpn":   our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "lab_vpn":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "lab_vpn":   sec_label:unset;
000 "lab_vpn":   ike_life: 86400s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "lab_vpn":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "lab_vpn":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "lab_vpn":   policy: IKEv1+PSK+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "lab_vpn":   conn_prio: 20,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "lab_vpn":   nflog-group: unset; mark: unset; vti-iface:ip_vti0; vti-routing:yes; vti-shared:yes; nic-offload:auto;
000 "lab_vpn":   our idtype: ID_FQDN; our id=@54.92.x.x; their idtype: ID_FQDN; their id=@44.205.x.x
000 "lab_vpn":   dpd: active; action:restart; delay:10s; timeout:30s
000 "lab_vpn":   nat-traversal: encaps:yes; keepalive:20s; ikev1-method:rfc+drafts
000 "lab_vpn":   newest ISAKMP SA: #1; newest IPsec SA: #4; conn serial: $1;
000 "lab_vpn":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP1536
000 "lab_vpn":   IKEv1 algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP1536
000 "lab_vpn":   ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128
000 "lab_vpn":   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_256_128; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #1: "lab_vpn":4500 STATE_MAIN_I4 (IKE SA established); REPLACE in 85155s; newest; lastdpd=5s(seq in:0 out:0); idle;
000 #2: "lab_vpn":4500 STATE_MAIN_R3 (IKE SA established); REPLACE in 85611s; lastdpd=5s(seq in:31393 out:0); idle;
000 #3: "lab_vpn":4500 STATE_QUICK_R2 (IPsec SA established); REPLACE in 28011s; ISAKMP SA #2; idle;
000 #3: "lab_vpn" esp.20538bcc@44.205.x.x esp.c7bebab0@172.31.84.135 tun.0@44.205.x.x tun.0@172.31.84.135 Traffic: ESPin=0B ESPout=0B ESPmax=2^63B
000 #4: "lab_vpn":4500 STATE_QUICK_I2 (IPsec SA established); REPLACE in 27507s; newest; eroute owner; ISAKMP SA #1; idle;
000 #4: "lab_vpn" esp.a6bb458d@44.205.x.x esp.d785b2f1@172.31.84.135 tun.0@44.205.x.x tun.0@172.31.84.135 Traffic: ESPin=3KB ESPout=1KB ESPmax=2^63B

Instance at End A.

$ ping 10.0.7.252 PING 10.0.7.252 (10.0.7.252) 56(84) bytes of data.

--- 10.0.7.252 ping statistics --- 21 packets transmitted, 0 received, 100% packet loss, time 20460ms

Instance at End B.

$ sudo tcpdump -n -i ip_vti0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ip_vti0, link-type RAW (Raw IP), capture size 262144 bytes
03:29:08.329907 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 1, length 64
03:29:09.337831 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 2, length 64
03:29:10.361832 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 3, length 64
03:29:11.385879 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 4, length 64
03:29:12.409895 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 5, length 64
03:29:13.433952 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 6, length 64
03:29:14.457835 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 7, length 64
03:29:15.481838 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 8, length 64
03:29:16.505832 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 9, length 64
03:29:17.529821 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 10, length 64
03:29:18.553819 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 92, seq 11, length 64

11 packets captured
11 packets received by filter
0 packets dropped by kernel

As you can see if traffic is sent from one end to the other, but without response. To try to solve this problem I added a return route in the routing table which in theory should route the traffic to the ip_vti0 interface of the VPN, but it had no effect.

Instance at End A.

$ sudo ip route add 172.31.80.0/20 dev ip_vti0

$ ip route get 10.0.7.252
10.0.7.252 dev ip_vti0 src 172.31.80.1 uid 1000
    cache

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 12:73:29:ca:69:c9 brd ff:ff:ff:ff:ff:ff
3: ip_vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0

Instance at End B.

$ sudo ip route add 10.0.7.0/24 dev ip_vti0

$ ip route get 172.31.84.135
172.31.84.135 dev ip_vti0 src 10.0.7.1 uid 1000
    cache

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 0a:ff:ee:fc:6f:c1 brd ff:ff:ff:ff:ff:ff
3: ip_vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0

Please does anyone have any suggestions or advice to solve this problem. Why is the traffic going only in one direction? If I ping each end of the EC2 instances the traffic is received at each end, but I don't get any response back.

Thanks in advance!

[elenium3]

same issue. Previously same config worked fine

[mvisser-nhb]

have you tried adding sourceip? for example: ping -n -c 4 -I {current_host_ip} {target}

[Crivera2809]

Thank you very much for your help @mvisser-nhb.

Yes, I did it, but it doesn't work, I've tried some workaround but I've not had success.

ping from E1. `$ ping -n -c 4 -I 10.0.7.252 172.31.84.135 PING 172.31.84.135 (172.31.84.135) from 10.0.7.252 : 56(84) bytes of data.

--- 172.31.84.135 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms`

tcpdump in E2. $ sudo tcpdump -n -i ip_vti0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ip_vti0, link-type RAW (Raw IP), capture size 262144 bytes 00:56:37.613542 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 1, length 64 00:56:38.643963 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 2, length 64 00:56:39.667940 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 3, length 64 00:56:40.691936 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 4, length 64

[letoams]

Show the output of “ipsec trafficstatus” and see if the outgoing or incoming counter remains at zero after a few pings.If outgoing remains zero, a NAT rule might change source IP before IPsec subsystem.If incoming counter remains zero, perhaps the other end has a bad NAT rule or firewall rule.Sent using a virtual keyboard on a phoneOn Jun 18, 2024, at 21:07, Crivera2809 @.***> wrote: Thank you very much for your help @mvisser-nhb. Yes, I did it, but it doesn't work, I've tried some workaround but I've not had success. ping from E1. $ ping -n -c 4 -I 10.0.7.252 172.31.84.135 PING 172.31.84.135 (172.31.84.135) from 10.0.7.252 : 56(84) bytes of data. --- 172.31.84.135 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms tcpdump in E2. $ sudo tcpdump -n -i ip_vti0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ip_vti0, link-type RAW (Raw IP), capture size 262144 bytes 00:56:37.613542 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 1, length 64 00:56:38.643963 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 2, length 64 00:56:39.667940 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 3, length 64 00:56:40.691936 IP 10.0.7.252 > 172.31.84.135: ICMP echo request, id 24, seq 4, length 64

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: @.***>

[Crivera2809]

Hello @letoams

Thank you very much for your help,

I've tried ping test from Ip 10.0.7.252 to 172.31.84.135 and I've checked with command “ipsec traffic status" and I see something similar to what you have indicated, I will investigate if the problem is being caused by a NAT rule.

000 Total IPsec connections: loaded 1, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0) 000 IPsec SAs: total(2), authenticated(2), anonymous(0) 000 000 #4: "western":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 84804s; newest ISAKMP; lastdpd=2s(seq in:0 out:0); idle; 000 #5: "western":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 85496s; lastdpd=2s(seq in:18908 out:0); idle; 000 #6: "western":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27896s; isakmp#5; idle; 000 #6: "western" esp.308ed5a@54.86.xx.xx esp.1abe74a2@10.0.7.252 tun.0@54.86.xx.xx tun.0@10.0.7.252 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 #7: "western":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27195s; newest IPSEC; eroute owner; isakmp#4; idle; 000 #7: "western" esp.c003f931@54.86.xx.xx esp.a87b4f9@10.0.7.252 tun.0@54.86.xx.xx tun.0@10.0.7.252 ref=0 refhim=0 Traffic: ESPin=43KB ESPout=50KB! ESPmax=4194303B

Thanks a lot!

Best regards