[strongSwan] Connect strongSwan and Squid on same server

Varun Singh varun.singh at gslab.com
Wed Jan 18 17:33:06 CET 2017


Hi,
I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
16.04 server and I am trying to connect both. By connect I mean, I am
trying to achieve following:

[VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]

My objective is to connect a VPN client to VPN server and use Squid
for filtering out blocked Urls. strongSwan and Squid work fine on
their own. I can access internet when connected to VPN server and also
when configured HTTP Proxy without VPN.

>From what I understand, to achieve what I want, I am supposed to
redirect incoming HTTP traffic from port 80 to port using IPTables. I
enter following IPTables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

Once I do this and try to access internet from a connected VPN client,
I get error. Pasting a log of /var/log/squid/access.log


1484738365.632      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
1484738365.642      0 114.143.194.190 TCP_DENIED/403 4870 GET
http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
- HIER_NONE/- text/html
1484738365.643      0 114.143.194.190 TCP_DENIED/403 4852 GET
http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
- HIER_NONE/- text/html
1484738365.731      0 114.143.194.190 TCP_DENIED/403 4753 GET
http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
1484738365.760      0 114.143.194.190 TCP_DENIED/403 4817 GET
http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
- HIER_NONE/- text/html
1484738367.798      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
init.itunes.apple.com:443 - HIER_NONE/- text/html
1484738367.922      0 114.143.194.190 TCP_DENIED/403 4334 GET
http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
HIER_NONE/- text/html
1484738367.963      0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
1484738368.036      0 114.143.194.190 TCP_DENIED/403 4298 GET
http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
text/html
1484738368.148      0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.255      0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.296      0 114.143.194.190 TCP_DENIED/403 4316 GET
http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
text/html
1484738368.348      0 114.143.194.190 TCP_DENIED/403 4253 GET
http://www.apple.com/favicon.ico - HIER_NONE/- text/html
1484738376.374      0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738376.456      0 114.143.194.190 TCP_DENIED/403 4711 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738385.761      0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738385.828      0 114.143.194.190 TCP_DENIED/403 4747 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738858.272      0 10.99.1.1 TAG_NONE/400 4154 GET
/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
- HIER_NONE/- text/html
1484738858.990      0 10.99.1.1 TAG_NONE/400 4004 GET
/us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
1484738860.362      0 10.99.1.1 TAG_NONE/400 5350 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484739056.258      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739056.480      0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739057.106      0 10.99.1.1 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484739057.166      0 10.99.1.1 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484739057.211      0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.267      0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.340      0 10.99.1.1 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484739057.436      0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484739060.563      0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
HIER_NONE/- text/html
1484739071.241      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739071.439      0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739092.972      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739093.151      0 10.99.1.1 TCP_DENIED/403 4621 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739093.306      0 10.99.1.1 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484739093.364      0 10.99.1.1 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484739093.427      0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739093.480      0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739093.529      0 10.99.1.1 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484739093.578      0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484741172.545      0 123.240.104.249 TAG_NONE/400 3924 GET / -
HIER_NONE/- text/html
1484742330.250      0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742335.479      0 10.99.1.2 TAG_NONE/400 4220
%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
- HIER_NONE/- text/html
1484742335.538      0 10.99.1.2 TAG_NONE/400 4234
%BB%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
- HIER_NONE/- text/html
1484742335.605      0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742335.691      0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742339.640      0 10.99.1.2 TAG_NONE/400 4022
%C6%CF%91Pv%85%82l%DEbD%1F%E0 - HIER_NONE/- text/html
1484742339.697      0 10.99.1.2 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484742339.885      0 10.99.1.2 TCP_DENIED/403 4556 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484742340.105      0 10.99.1.2 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484742340.195      0 10.99.1.2 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484742340.258      0 10.99.1.2 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484742340.309      0 10.99.1.2 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484742340.359      0 10.99.1.2 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484742340.413      0 10.99.1.2 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484742378.858      0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742510.612      0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742517.730      0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484744550.653      0 10.99.1.2 TAG_NONE/400 4174 GET
/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFHQkFGcGn%2FXgmD9ePhproGUqVBV1BBQBWavn3ToLWaZkY9bPIAdX1ZHnagIQBHT%2BRrNCtgO6lb6fVDjflA%3D%3D
- HIER_NONE/- text/html
1484744597.163      0 10.99.1.1 TAG_NONE/400 4022 GET
/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
text/html
1484744597.361      0 10.99.1.1 TAG_NONE/400 4034 GET
/ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
HIER_NONE/- text/html
1484744599.970      0 10.99.1.1 TAG_NONE/400 5352 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s62860188740305?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A19%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=2&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484744606.878      0 10.99.1.1 TAG_NONE/400 4022 GET
/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
text/html
1484744606.879      0 10.99.1.1 TAG_NONE/400 4034 GET
/ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
HIER_NONE/- text/html
1484744608.852      0 10.99.1.1 TAG_NONE/400 5352 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s68294376337435?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A28%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=3&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484744615.457      0 10.99.1.1 TAG_NONE/400 4022 GET
/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
text/html
1484744615.526      0 10.99.1.1 TAG_NONE/400 4008 GET
/metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/- text/html
1484744615.587      0 10.99.1.1 TAG_NONE/400 4034 GET
/ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
HIER_NONE/- text/html
1484744625.891      0 10.99.1.1 TAG_NONE/400 3952 GET
/retail/geniusbar/ - HIER_NONE/- text/html
1484744626.062      0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- image/png
1484744643.114      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484744643.268      0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- image/png
1484746410.764      0 108.189.96.202 TAG_NONE/400 3923 GET / -
HIER_NONE/- text/html
1484751091.543      0 153.142.43.105 TAG_NONE/400 3923 GET / -
HIER_NONE/- text/html


My /etc/squid/squid.conf file has only one change and that is:
http_access allow all



Following is my /etc/ipsec.conf file:
config setup
 strictcrlpolicy=no
 uniqueids = no

conn %default
 mobike=yes
 dpdaction=clear
 dpddelay=35s
 dpdtimeout=200s
 fragmentation=yes

conn iOS-IKEV2
 auto=add
 keyexchange=ike
 eap_identity=%any
 left=%any
 leftsubnet=0.0.0.0/0
 rightsubnet=10.99.1.0/24
 leftauth=psk
 leftid=%any
 right=%any
 rightsourceip=10.99.1.0/24
 rightauth=eap-mschapv2
 rightid=%any

Following is NAT IPTables entries. I get this by entering sudo
iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere             tcp
dpt:http redir ports 3128

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.99.1.0/24  anywhere



If any of you have faced this problem before and was able to resolve
it, can you please help me? Thanks.

-- 
Regards,
Varun


More information about the Users mailing list