<div dir="ltr">Hi<div><br></div><div>If i after reboot restart strongswan and the tunnel the iptables looks ok, but packages are still sent over the internet.</div><div><br></div><div>Is there anything in the kernel configuration i have to check ?</div>
<div><br></div><div>When i look at <a href="http://www.strongswan.org/uml/testresults4/ikev1/net2net-psk/">http://www.strongswan.org/uml/testresults4/ikev1/net2net-psk/</a> there is nothing i in ip route list table 220</div>
<div><br></div><div><div>root@b3:~# ipsec restart</div><div>Stopping strongSwan IPsec...</div><div>Starting strongSwan 4.4.1 IPsec [starter]...</div><div>root@b3:~# iptables -L -v</div><div>Chain INPUT (policy DROP 3 packets, 120 bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset</div>
<div> 1 51 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW</div><div> 9 1042 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED</div>
<div> 54 3995 ACCEPT all -- br0 any anywhere anywhere</div><div> 0 0 ACCEPT all -- lo any anywhere anywhere</div><div> 0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded</div>
<div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div><div> 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh</div>
<div> 0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:isakmp</div><div> 0 0 ACCEPT esp -- eth0 any anywhere anywhere</div><div><br></div><div>Chain FORWARD (policy DROP 0 packets, 0 bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 18 8743 ACCEPT all -- br0 any anywhere anywhere</div><div> 17 1021 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED</div>
<div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div><div><br></div><div>Chain OUTPUT (policy ACCEPT 65 packets, 8742 bytes)</div><div> pkts bytes target prot opt in out source destination</div>
<div> 0 0 ACCEPT esp -- any eth0 anywhere anywhere</div><div>root@b3:~# ipsec up net-net</div><div>002 "net-net" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</div>
<div>112 "net-net" #3: STATE_QUICK_I1: initiate</div><div>002 "net-net" #3: sent QI2, IPsec SA established {ESP=>0xbc2b2ba9 <0xceebf6e2}</div><div>004 "net-net" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xbc2b2ba9 <0xceebf6e2}</div>
<div>root@b3:~# iptables -L -v</div><div>Chain INPUT (policy DROP 0 packets, 0 bytes)</div><div> pkts bytes target prot opt in out source destination</div><div> 0 0 ACCEPT all -- eth0 any <a href="http://192.168.3.0/24">192.168.3.0/24</a> <a href="http://192.168.10.0/24">192.168.10.0/24</a> policy match dir in pol ipsec reqid 16385 proto esp</div>
<div> 0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset</div><div> 1 51 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW</div>
<div> 33 5847 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED</div><div> 86 5963 ACCEPT all -- br0 any anywhere anywhere</div><div> 0 0 ACCEPT all -- lo any anywhere anywhere</div>
<div> 0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded</div><div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div>
<div> 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh</div><div> 0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:isakmp</div>
<div> 0 0 ACCEPT esp -- eth0 any anywhere anywhere</div><div><br></div><div>Chain FORWARD (policy DROP 0 packets, 0 bytes)</div><div> pkts bytes target prot opt in out source destination</div>
<div> 0 0 ACCEPT all -- eth0 any <a href="http://192.168.3.0/24">192.168.3.0/24</a> <a href="http://192.168.10.0/24">192.168.10.0/24</a> policy match dir in pol ipsec reqid 16385 proto esp</div>
<div> 0 0 ACCEPT all -- any eth0 <a href="http://192.168.10.0/24">192.168.10.0/24</a> <a href="http://192.168.3.0/24">192.168.3.0/24</a> policy match dir out pol ipsec reqid 16385 proto esp</div>
<div> 21 8890 ACCEPT all -- br0 any anywhere anywhere</div><div> 21 1263 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED</div><div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div>
<div><br></div><div>Chain OUTPUT (policy ACCEPT 22 packets, 3238 bytes)</div><div> pkts bytes target prot opt in out source destination</div><div> 0 0 ACCEPT all -- any eth0 <a href="http://192.168.10.0/24">192.168.10.0/24</a> <a href="http://192.168.3.0/24">192.168.3.0/24</a> policy match dir out pol ipsec reqid 16385 proto esp</div>
<div> 0 0 ACCEPT esp -- any eth0 anywhere anywhere</div><div>root@b3:~#</div></div><div><br></div><div><div>traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets</div><div> 1 10.66.128.234 (10.66.128.234) 32.228 ms 53.222 ms 53.485 ms</div>
<div> 2 10.66.128.237 (10.66.128.237) 53.873 ms 54.093 ms 54.477 ms</div><div> 3 172.18.4.78 (172.18.4.78) 71.604 ms 172.18.4.82 (172.18.4.82) 54.282 ms 172.18.4.62 (172.18.4.62) 54.174 ms</div><div> 4 172.18.72.66 (172.18.72.66) 53.930 ms 172.18.72.90 (172.18.72.90) 53.910 ms 172.18.72.98 (172.18.72.98) 53.802 ms</div>
<div> 5 172.18.8.109 (172.18.8.109) 53.800 ms 172.18.8.105 (172.18.8.105) 53.742 ms 172.18.8.158 (172.18.8.158) 53.439 ms^C</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2014/1/4 Ali Masoudi <span dir="ltr"><<a href="mailto:masoudi1983@gmail.com" target="_blank">masoudi1983@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi<div><br></div><div>Did you disable "add routes" in strongswan.conf?</div><div>By Default, Strongswan adds required route in table 220.</div><div><br></div><div>If you disabled routing in SW, You have to route traffic to <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> via 109.56.142.204 interface to <a href="tel:5.103.136.156" value="+15103136156" target="_blank">5.103.136.156</a>.</div>
<div><br></div><div>Best wishes</div><div>Ali</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Fri, Jan 3, 2014 at 12:02 PM, Svend Høst <span dir="ltr"><<a href="mailto:svend@hoest.nu" target="_blank">svend@hoest.nu</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">Hi<div><br></div><div>I'm having troubles getting packages routed over the tunnel. It seems like that the iptables rules are somewhat purged, they reenter if i rebuild the tunnel. but that dosn't help the routing issue.</div>
<div><br></div><div>traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets<br></div><div><div> 1 10.66.55.18 (10.66.55.18) 43.438 ms 53.529 ms 53.742 ms</div><div> 2 10.66.55.17 (10.66.55.17) 53.857 ms 63.536 ms 63.482 ms^C</div>
</div><div><br></div><div>root@b3:~# ipsec version<br></div><div><div><div>Linux strongSwan U4.4.1/K2.6.39.4-11</div><div>Institute for Internet Technologies and Applications</div><div>University of Applied Sciences Rapperswil, Switzerland</div>
<div>See 'ipsec --copyright' for copyright information.</div><div><br></div><div>root@b3:~# ipsec status net-net</div><div>000 "net-net": <a href="http://192.168.10.0/24===109.56.142.204%5Bhoest.myownb3.com%5D...5.103.136.156%5B192.168.3.1%5D===192.168.3.0/24" target="_blank">192.168.10.0/24===109.56.142.204[hoest.myownb3.com]...5.103.136.156[192.168.3.1]===192.168.3.0/24</a>; erouted; eroute owner: #4</div>
<div>000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;</div><div>000</div><div>000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2246s; newest IPSEC; eroute owner</div>
<div>000 #4: "net-net" <a href="mailto:esp.f755325f@5.103.136.156" target="_blank">esp.f755325f@5.103.136.156</a> (0 bytes) <a href="mailto:esp.2c39870c@109.56.142.204" target="_blank">esp.2c39870c@109.56.142.204</a> (0 bytes); tunnel</div>
<div>
000 #3: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2164s; newest ISAKMP</div><div>000</div><div><br></div><div>root@b3:~# iptables -L -v</div><div>Chain INPUT (policy DROP 0 packets, 0 bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset</div>
<div> 0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW</div><div> 93 6801 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED</div>
<div> 0 0 ACCEPT all -- br0 any anywhere anywhere</div><div> 0 0 ACCEPT all -- lo any anywhere anywhere</div><div> 0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded</div>
<div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div><div> 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh</div>
<div> 0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:isakmp</div><div> 0 0 ACCEPT esp -- eth0 any anywhere anywhere</div><div><br></div><div>
Chain FORWARD (policy DROP 0 packets, 0 bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 ACCEPT all -- br0 any anywhere anywhere</div><div> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED</div>
<div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div><div><br></div><div>Chain OUTPUT (policy ACCEPT 93 packets, 13864 bytes)</div><div> pkts bytes target prot opt in out source destination</div>
<div> 0 0 ACCEPT esp -- any eth0 anywhere anywhere</div><div>root@b3:~#</div></div><div><br></div></div><div><br></div><div><br></div><div>Any thoughts ?</div><div><br></div><div>Wkr. </div>
<span><font color="#888888">
<div>Svend</div></font></span></div>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div>
</blockquote></div><br></div>