VMware NSX

 View Only
  • 1.  IPSec VPN Routing issues

    Posted Jun 06, 2016 05:26 PM

    Hi team ,

    Any good pointers on TS IPSec VPN tunnels ?

    I seem to have no visible issues at the NSX end of the tunnel by the looks of it; <peering with an OpenSwan instance at AWS>

    edg-perimeter-0> show service ipsec site

    Site: 62.213.196.68_10.10.0.0/16-52.18.144.144_10.0.0.0/24

    |  ISAKMP SA #1, peerip 52.18.144.144<52.18.144.144>, STATE_MAIN_I4, UP

    |  ike_life: 28800s; ipsec_life: 3600s;

    |  rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

    |  dpd: action:restart; delay:30; timeout:120;

    |  IKE algorithm newest: AES_CBC_128-SHA1-MODP1536

    |  securelocaltrafficbyip: 10.10.30.1

    |  ike_expire: 27002s

       +->Tunnel 1x1: 192.168.0.0/24 <-> 10.0.0.0/24, UP

       |  IPSec SA #5, STATE_QUICK_I2; IKE #1; eOwner #5

       |  Out spi: 0xc32776dd, in spi: 0xf0d2ccda

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 1x2: 192.168.0.0/24 <-> 10.0.1.0/24, UP

       |  IPSec SA #6, STATE_QUICK_I2; IKE #1; eOwner #6

       |  Out spi: 0xd14fe284, in spi: 0x36a85e69

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 1x3: 192.168.0.0/24 <-> 10.0.2.0/24, UP

       |  IPSec SA #7, STATE_QUICK_I2; IKE #1; eOwner #7

       |  Out spi: 0x9c0ad833, in spi: 0x8310c82b

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 2x1: 10.10.0.0/16 <-> 10.0.0.0/24, UP

       |  IPSec SA #8, STATE_QUICK_I2; IKE #1; eOwner #8

       |  Out spi: 0x2088d83b, in spi: 0x4b09b81b

    byte 1186

    Site: 62.213.196.68_10.10.0.0/16-52.18.144.144_10.0.0.0/24

    |  ISAKMP SA #1, peerip 52.18.144.144<52.18.144.144>, STATE_MAIN_I4, UP

    |  ike_life: 28800s; ipsec_life: 3600s;

    |  rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

    |  dpd: action:restart; delay:30; timeout:120;

    |  IKE algorithm newest: AES_CBC_128-SHA1-MODP1536

    |  securelocaltrafficbyip: 10.10.30.1

    |  ike_expire: 27002s

       +->Tunnel 1x1: 192.168.0.0/24 <-> 10.0.0.0/24, UP

       |  IPSec SA #5, STATE_QUICK_I2; IKE #1; eOwner #5

       |  Out spi: 0xc32776dd, in spi: 0xf0d2ccda

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 1x2: 192.168.0.0/24 <-> 10.0.1.0/24, UP

       |  IPSec SA #6, STATE_QUICK_I2; IKE #1; eOwner #6

       |  Out spi: 0xd14fe284, in spi: 0x36a85e69

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 1x3: 192.168.0.0/24 <-> 10.0.2.0/24, UP

       |  IPSec SA #7, STATE_QUICK_I2; IKE #1; eOwner #7

       |  Out spi: 0x9c0ad833, in spi: 0x8310c82b

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 2x1: 10.10.0.0/16 <-> 10.0.0.0/24, UP

       |  IPSec SA #8, STATE_QUICK_I2; IKE #1; eOwner #8

       |  Out spi: 0x2088d83b, in spi: 0x4b09b81b

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 2x2: 10.10.0.0/16 <-> 10.0.1.0/24, UP

       |  IPSec SA #9, STATE_QUICK_I2; IKE #1; eOwner #9

       |  Out spi: 0xbab73316, in spi: 0xe13521c6

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

       +->Tunnel 2x3: 10.10.0.0/16 <-> 10.0.2.0/24, UP

       |  IPSec SA #10, STATE_QUICK_I2; IKE #1; eOwner #10

       |  Out spi: 0x8c395c08, in spi: 0x6dd9f43e

       |  ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1536

    - Yet I am unable to ping any of the remote end-points - 

    I understand that this Edge will know where to forward packets to destined to 10.0.0.0/24 , 10.0.1.0/24 and 10.0.2.0/24 and i will have to engage in some OpenSwan TS at the far end to validate that part of the equation. Nonetheless, it would be good to actually validate at the ESG level that we "capture" all interesting traffic to be forwarded to the peer.

    I do understand that downstream routing instances (say DLR's or downstream ESG's) will need to be told explicitly that the N.H for 0.0.0.0/24 , 10.0.1.0/24 and 10.0.2.0/24 is at the top-level ESG where we run IPSec tunnels.

    Kind regards and thanks in advance -

    Rik



  • 2.  RE: IPSec VPN Routing issues

    Posted Jun 06, 2016 05:58 PM

    Some additional details , nothing visibly wrong here...to my knowledge at least (note that I ping 10.0.0.6 from subnet 10.10.13.219)

    edg-perimeter-0> show config ipsec

    -----------------------------------------------------------------------

    vShield Edge IPsec VPN Config:

    {

       "ipsec" : {

          "sites" : [

             {

                "certificate" : null,

                "encryptionAlgorithm" : "aes",

                "enabled" : true,

                "mtu" : null,

                "psk" : "****",

                "extension" : null,

                "peerSubnets" : [

                   "10.0.0.0/24",

                   "10.0.1.0/24",

                   "10.0.2.0/24"

                ],

                "peerIp" : "52.18.144.144",

                "name" : "aws",

                "description" : null,

                "localSubnets" : [

                   "192.168.0.0/24",

                   "10.10.0.0/16"

                ],

                "dhGroup" : "dh5",

                "peerId" : "52.18.144.144",

                "enablePfs" : true,

                "localIp" : "62.213.196.68",

                "authenticationMode" : "psk",

                "localId" : "62.213.196.68"

             }

          ],

          "enable" : true,

          "logging" : {

             "enable" : false,

             "logLevel" : "info"

          },

          "global" : {

             "extension" : null,

             "crlCertificates" : [],

             "serviceCertificate" : "certificate-58",

             "pskForDynamicIp" : null,

             "id" : null,

             "caCertificates" : []

          },

          "disableEvent" : false

    byte 1298

                ],

                "dhGroup" : "dh5",

                "peerId" : "52.18.144.144",

                "enablePfs" : true,

                "localIp" : "62.213.196.68",

                "authenticationMode" : "psk",

                "localId" : "62.213.196.68"

             }

          ],

          "enable" : true,

          "logging" : {

             "enable" : false,

             "logLevel" : "info"

          },

          "global" : {

             "extension" : null,

             "crlCertificates" : [],

             "serviceCertificate" : "certificate-58",

             "pskForDynamicIp" : null,

             "id" : null,

             "caCertificates" : []

          },

          "disableEvent" : false

       }

    }

    ~

    ~

    ~

    ~

    ~

    edg-perimeter-0>   show service ipsec sp

    src 192.168.0.0/24[any]  ---> dst 10.0.2.0/24[any] 255

            out prio high + 1073739480 ipsec

            esp/tunnel/62.213.196.68-52.18.144.144/unique#16393

            created: Jun  6 17:31:57 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=769 seq=1 pid=22126

            refcnt=1

    src 10.10.0.0/16[any]  ---> dst 10.0.0.0/24[any] 255

            out prio high + 1073739224 ipsec

            esp/tunnel/62.213.196.68-52.18.144.144/unique#16397

            created: Jun  6 17:30:29 2016  lastused: Jun  6 17:52:31 2016

            lifetime: 0(s) validtime: 0(s)

            spid=777 seq=2 pid=22126

            refcnt=2

    src 10.10.0.0/16[any]  ---> dst 10.0.2.0/24[any] 255

            out prio high + 1073739224 ipsec

            esp/tunnel/62.213.196.68-52.18.144.144/unique#16405

            created: Jun  6 17:29:54 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=793 seq=3 pid=22126

            refcnt=1

    src 10.10.0.0/16[any]  ---> dst 10.0.1.0/24[any] 255

            out prio high + 1073739224 ipsec

            esp/tunnel/62.213.196.68-52.18.144.144/unique#16401

            created: Jun  6 17:28:56 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=785 seq=4 pid=22126

            refcnt=1

    src 192.168.0.0/24[any]  ---> dst 10.0.1.0/24[any] 255

            out prio high + 1073739480 ipsec

            esp/tunnel/62.213.196.68-52.18.144.144/unique#16389

            created: Jun  6 17:27:09 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=761 seq=5 pid=22126

            refcnt=1

    src 192.168.0.0/24[any]  ---> dst 10.0.0.0/24[any] 255

            out prio high + 1073739480 ipsec

            esp/tunnel/62.213.196.68-52.18.144.144/unique#16385

            created: Jun  6 17:26:48 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=753 seq=6 pid=22126

            refcnt=1

    src 10.0.2.0/24[any]  ---> dst 192.168.0.0/24[any] 255

            fwd prio high + 1073739480 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16393

            created: Jun  6 16:41:33 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=890 seq=7 pid=22126

            refcnt=1

    src 10.0.2.0/24[any]  ---> dst 192.168.0.0/24[any] 255

            in prio high + 1073739480 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16393

            created: Jun  6 16:41:33 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=880 seq=8 pid=22126

            refcnt=1

    src 10.0.0.0/24[any]  ---> dst 10.10.0.0/16[any] 255

            fwd prio high + 1073739224 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16397

            created: Jun  6 16:41:13 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=874 seq=9 pid=22126

            refcnt=1

    src 10.0.0.0/24[any]  ---> dst 10.10.0.0/16[any] 255

            in prio high + 1073739224 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16397

            created: Jun  6 16:41:13 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=864 seq=10 pid=22126

            refcnt=1

    src 10.0.1.0/24[any]  ---> dst 10.10.0.0/16[any] 255

            fwd prio high + 1073739224 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16401

            created: Jun  6 16:41:13 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=858 seq=11 pid=22126

            refcnt=1

    src 10.0.1.0/24[any]  ---> dst 10.10.0.0/16[any] 255

            in prio high + 1073739224 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16401

            created: Jun  6 16:41:13 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=848 seq=12 pid=22126

            refcnt=1

    src 10.0.2.0/24[any]  ---> dst 10.10.0.0/16[any] 255

            fwd prio high + 1073739224 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16405

            created: Jun  6 16:41:04 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=842 seq=13 pid=22126

            refcnt=1

    src 10.0.2.0/24[any]  ---> dst 10.10.0.0/16[any] 255

            in prio high + 1073739224 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16405

            created: Jun  6 16:41:04 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=832 seq=14 pid=22126

            refcnt=1

    src 10.0.1.0/24[any]  ---> dst 192.168.0.0/24[any] 255

            fwd prio high + 1073739480 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16389

            created: Jun  6 16:41:04 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=826 seq=15 pid=22126

            refcnt=1

    src 10.0.1.0/24[any]  ---> dst 192.168.0.0/24[any] 255

            in prio high + 1073739480 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16389

            created: Jun  6 16:41:04 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=816 seq=16 pid=22126

            refcnt=1

    src 10.0.0.0/24[any]  ---> dst 192.168.0.0/24[any] 255

            fwd prio high + 1073739480 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16385

            created: Jun  6 16:41:03 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=810 seq=17 pid=22126

            refcnt=1

    src 10.0.0.0/24[any]  ---> dst 192.168.0.0/24[any] 255

            in prio high + 1073739480 ipsec

            esp/tunnel/52.18.144.144-62.213.196.68/unique#16385

            created: Jun  6 16:41:03 2016  lastused:

            lifetime: 0(s) validtime: 0(s)

            spid=800 seq=18 pid=22126

            refcnt=1

    edg-perimeter-0>

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    src 10.10.0.0/16[any]  ---> dst 10.0.0.0/24[any] 255

            out prio high + 1073739224 ipsec

            esp/tunnel/62.213.196.68-52.18.144.144/unique#16397

            created: Jun  6 17:30:29 2016  lastused: Jun  6 17:56:31 2016

            lifetime: 0(s) validtime: 0(s)

            spid=777 seq=2 pid=23134

            refcnt=2



  • 3.  RE: IPSec VPN Routing issues

    Posted Jun 22, 2016 07:21 PM

    it looks like your tunnel is up via phase 1 and phase 2.  have you verified your firewall rules are permitting this ingress/egress traffic on both ends?



  • 4.  RE: IPSec VPN Routing issues

    Posted Jun 28, 2016 06:45 PM

    Thx for the suggestion, yes the FW rules at our end and the SecGroup at the AWS side were both fine - it turned out that someone spoiled the OpenSwan config at the far end. Guess next time I need to verify the actual log files.

    thx

    /r