<div dir="ltr"><div>Hi Noel,</div><div><br></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">I tried it the way you said without success. </span>My new iptables rules are listed below.</div><div><br></div><div>It looks like the vpn traffic bypass the netfilter completly? Is there a system switch to turn filtering on?</div><div><br></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">Kind Regards,</span></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap">Chris</span></div><div><br></div><div><div># iptables -L -v -t nat</div><div>Chain PREROUTING (policy ACCEPT 1449 packets, 84732 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain INPUT (policy ACCEPT 1426 packets, 81339 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain OUTPUT (policy ACCEPT 1302 packets, 92190 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div><br></div><div>Chain POSTROUTING (policy ACCEPT 1302 packets, 92190 bytes)</div><div> pkts bytes target prot opt in out source destination </div><div> 0 0 MASQUERADE all -- any eth0 anywhere anywhere policy match dir out pol ipsec</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-29 7:51 GMT+02:00 Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Chris,<br>
<br>
That is because of this line:<br>
<br>
0 0 ACCEPT all -- any eth0 anywhere !<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> policy match dir out pol ipsec<br>
<br>
I advise adjusting your MASQUERADE rule instead to except traffic with a matching IPsec policy from NAT.<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
Am 27.04.2015 um 18:26 schrieb <a href="mailto:ch%2Bstrongswan@henniger.info">ch+strongswan@henniger.info</a>:<br>
> Hello,<br>
><br>
> Hoping someone can help me:<br>
><br>
> With the following LAN-LAN Setup<br>
> Server <a href="http://10.2.0.0/24" target="_blank">10.2.0.0/24</a> <<a href="http://10.2.0.0/24" target="_blank">http://10.2.0.0/24</a>> - 1.1.1.1 --- 2.2.2.2 - <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> Client<br>
><br>
> I try to route the whole traffic from client through the server with masqueraded traffic to the public net.<br>
><br>
> tcpdump on server shows the traffic is routed but not masquerade.<br>
> (example from host (10.0.0.110) inside client net to public ip (<a href="http://www.heise.de" target="_blank">www.heise.de</a> <<a href="http://www.heise.de" target="_blank">http://www.heise.de</a>>))<br>
><br>
> 17:45:47.871219 IP 10.0.0.110 > <a href="http://www.heise.de" target="_blank">www.heise.de</a> <<a href="http://www.heise.de" target="_blank">http://www.heise.de</a>>: ICMP echo request, id 20758, seq 6, length 64<br>
><br>
> Thank you in advance for any advice.<br>
><br>
> Chris<br>
><br>
><br>
> My Configuration:<br>
><br>
> Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64 GNU/Linux<br>
> StrongSwan 5.2.1-6<br>
><br>
> # cat /etc/ipsec.conf<br>
> ---<br>
> config setup<br>
><br>
> conn %default<br>
> ikelifetime=60m<br>
> keylife=20m<br>
> rekeymargin=3m<br>
> keyingtries=1<br>
> authby=secret<br>
> keyexchange=ike<br>
> mobike=no<br>
><br>
> conn divinus<br>
> left=1.1.1.1<br>
> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> right=%any<br>
> rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
> auto=add<br>
> ---<br>
><br>
><br>
> # ip xfrm policy<br>
> ---<br>
> src <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> dst <a href="http://10.2.0.0/24" target="_blank">10.2.0.0/24</a> <<a href="http://10.2.0.0/24" target="_blank">http://10.2.0.0/24</a>><br>
> dir fwd priority 2883 ptype main<br>
> tmpl src 2.2.2.2 dst 1.1.1.1<br>
> proto esp reqid 1 mode tunnel<br>
> src <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> dst <a href="http://10.2.0.0/24" target="_blank">10.2.0.0/24</a> <<a href="http://10.2.0.0/24" target="_blank">http://10.2.0.0/24</a>><br>
> dir in priority 2883 ptype main<br>
> tmpl src 2.2.2.2 dst 1.1.1.1<br>
> proto esp reqid 1 mode tunnel<br>
> src <a href="http://10.2.0.0/24" target="_blank">10.2.0.0/24</a> <<a href="http://10.2.0.0/24" target="_blank">http://10.2.0.0/24</a>> dst <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
> dir out priority 2883 ptype main<br>
> tmpl src 1.1.1.1 dst 2.2.2.2<br>
> proto esp reqid 1 mode tunnel<br>
> src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> socket in priority 0 ptype main<br>
> src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> socket out priority 0 ptype main<br>
> src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> socket in priority 0 ptype main<br>
> src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
> socket out priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket in priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket out priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket in priority 0 ptype main<br>
> src ::/0 dst ::/0<br>
> socket out priority 0 ptype main<br>
><br>
><br>
><br>
> # route<br>
> Kernel-IP-Routentabelle<br>
> Ziel Router Genmask Flags Metric Ref Use Iface<br>
> default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0<br>
> 10.2.0.0 * 255.255.255.0 U 0 0 0 eth0<br>
> 1.1.1.0 1.1.1.1 255.255.255.0 UG 0 0 0 eth0<br>
> 1.1.1.0 * 255.255.255.0 U 0 0 0 eth0<br>
><br>
><br>
><br>
> # cat /proc/sys/net/ipv4/ip_forward<br>
> 1<br>
><br>
><br>
><br>
> # iptables -L -v<br>
> ---<br>
> Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)<br>
> pkts bytes target prot opt in out source destination<br>
><br>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
><br>
> Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> ---<br>
><br>
><br>
> # iptables -t nat -L -v<br>
> ---<br>
> Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)<br>
> pkts bytes target prot opt in out source destination<br>
><br>
> Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
><br>
> Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)<br>
> pkts bytes target prot opt in out source destination<br>
><br>
> Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 0 0 ACCEPT all -- any eth0 anywhere !<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> policy match dir out pol ipsec<br>
> 0 0 LOG all -- any eth0 anywhere !<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> policy match dir out pol ipsec LOG level warning<br>
> 1709 121K MASQUERADE all -- any eth0 anywhere !<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
> ---<br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJVQHFrAAoJEDg5KY9j7GZYHj8P/RibteAQMaxGS0gQYraQaWn4<br>
bdkX0RqAYygZY+okuCMo1LxTgZFcEtTm1bWS4ynTNq19SPSgmsRtyXGkJvH3NFO+<br>
Mrz4ezwr3LWtPRcNrp5twjfZwt/yw+Dk93BgW4CJkCiUVomBshzxY5Q1xvwFS11v<br>
/PTf89VmlJlzC6OL4ur//95Q4A/MPKuPmn8XiLHaB7kKvciM4TOezfkKNSNPhrZ8<br>
ZPIzGtNnkUtkPUX420hrFP87jriA1XsPkBlJmRC920dbQlVONusPc+KfKFbqTxND<br>
GLpAqmNNRk4zgj7qNm2QWuaYm2NEyCKQGBwloMQ0u+zhFJ4D1FR1AYlahwg5ddd2<br>
C5jU+rHIMFGokjrW9Q2R8DPwl/c1pxjeS2cXrAhoGj6Yj5rtndrc3m3guqUBQsCv<br>
Rh5L8VC4q5XaRK294fJWFm1oGFXYMx3SF1/wfPaNH2BPoyYYyNKtP00eSgcjn3j+<br>
GcnoFe2OCco74BtMQKq2pw8EOiogW+ijpMn7mHqElJVgi6TMXkeXsV52qWful5Br<br>
n5XEH4bIYoRs0MwVpe+ANQOl9czniaQKCwypuOm5ihUy/BM/LH3nzezp71cUsi7G<br>
8wtG5k2MB5n7MsVnvNZM0BXlnivNZeYculLtEd3x9GK0LlOYsHUDrBcZ2PEwdL4V<br>
jQqqpDAVaBzr1QzTT/ft<br>
=IWVo<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>