StrongSwan VPN Tunnel Established but No Traffic Routing: Linux EC2 to Cisco Concentrator


7 views

When examining the VPN connection between the EC2 instance (172.x.x.x) and Cisco concentrator (62.x.x.x), the tunnel shows as established in ipsec statusall. However, traffic isn't flowing between the local subnet (10.254.0.0/16) and remote network (10.192.0.0/12). The XFRM policies appear correct but packets aren't traversing the tunnel.

The Amazon EC2 environment requires special routing considerations. First verify the route tables:

# Check existing routes
ip route show table all
# Verify route for remote subnet
ip route get 10.192.1.1 from 10.254.5.174

Even with empty iptables, EC2's underlying network layer performs filtering. These rules are essential:

# Allow ESP and IKE traffic
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# NAT for the tunnel
iptables -t nat -A POSTROUTING -s 10.254.0.0/16 -d 10.192.0.0/12 -j MASQUERADE

# Forwarding rules
iptables -A FORWARD -s 10.254.0.0/16 -d 10.192.0.0/12 -j ACCEPT
iptables -A FORWARD -s 10.192.0.0/12 -d 10.254.0.0/16 -j ACCEPT

Amazon's VPC requires source/destination checks to be disabled for VPN gateways:

# Disable source/destination check (EC2 console or CLI)
aws ec2 modify-instance-attribute --instance-id your-instance-id --source-dest-check "{\"Value\": false}"

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

The configuration shows cisco_unity = yes which helps with Cisco compatibility, but additional parameters may be needed in ipsec.conf:

conn myconnection
    ...
    keyexchange = ikev1
    fragmentation = yes
    rekey = no
    reauth = no
    closeaction = restart
    dpddelay = 30s
    dpdtimeout = 150s
    dpdaction = restart

Use these commands to verify packet flow:

# Check tunnel traffic counters
ip -s xfrm state
ip -s tunnel show

# TCPdump for ESP packets
tcpdump -ni eth0 esp
tcpdump -ni eth0 udp port 500 or port 4500

# Debug strongSwan
charon-cmd --log-level 3

After implementing these changes, verify the complete setup:

  1. VPN status shows established phase1 and phase2 SAs
  2. XFRM policies show correct src/dst subnets
  3. Route tables direct traffic through the tunnel interface
  4. Firewall/NAT rules permit forwarding
  5. EC2 instance allows packet forwarding between interfaces

Remember that Amazon VPC security groups must also allow the VPN traffic between the instances.

The VPN tunnel between your EC2 instance (172.x.x.x) and Cisco concentrator (62.x.x.x) is successfully established, as confirmed by ipsec statusall. However, traffic isn't flowing between the local subnet (10.254.0.0/16) and remote subnet (10.192.0.0/12). This typically indicates either routing or packet forwarding issues.

First, verify your routing table with:

ip route show table all
ip rule list

For traffic to flow through the VPN tunnel, you need proper routes pointing to the tunnel interface. The output of ip xfrm policy shows the expected Security Policy Database (SPD) entries, but we need to ensure proper kernel routing.

Add these critical settings to your /etc/sysctl.conf:

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0

Apply them immediately with:

sysctl -p

Modify your ipsec.conf to include these crucial parameters:

conn myconnection
    # ... existing settings ...
    leftupdown=/usr/local/libexec/ipsec/_updown
    rightupdown=/usr/local/libexec/ipsec/_updown
    installpolicy=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart

To diagnose packet flow, use these commands simultaneously in different terminals:

# Terminal 1: Monitor IKE events
ipsec stroke loglevel ike 4

# Terminal 2: Capture ESP packets
tcpdump -ni eth0 esp

# Terminal 3: Trace route to remote subnet
traceroute -n 10.192.1.1

Even with empty iptables rules, ensure the default policies aren't blocking traffic:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F

For Amazon EC2 environments, you must disable source/destination checking:

# Using AWS CLI
aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --source-dest-check "{\"Value\": false}"

Create this script (/etc/network/if-up.d/vpn-routes) to maintain routes:

#!/bin/bash
# Add VPN-specific routes
ip route add 10.192.0.0/12 dev eth0 via 172.x.x.x
ip route flush cache

# Enable MASQUERADE if needed
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

For Cisco interoperability, add these to strongswan.conf:

charon {
    cisco_unity = yes
    plugins {
        attr {
            cisco-unity = yes
            dns = 8.8.8.8, 8.8.4.4
        }
    }
}

After implementing all changes, verify with:

ipsec restart
sleep 10
ping -c 4 10.192.1.1
ipsec statusall
ip xfrm state
ip xfrm policy

The complete solution combines proper routing, packet forwarding, EC2-specific configurations, and Cisco compatibility settings to ensure full connectivity through your StrongSwan VPN tunnel.