<div dir="ltr">I'm guessing my NAT rules may be messed up, any ideas what might be wrong?<div><br></div><div><br></div><div><div># iptables-save</div><div># Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018</div><div>*nat</div><div>:PREROUTING ACCEPT [14:1916]</div><div>:INPUT ACCEPT [14:1916]</div><div>:OUTPUT ACCEPT [37:2220]</div><div>:POSTROUTING ACCEPT [18:1080]</div><div>-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT</div><div>-A POSTROUTING -s <a href="http://1.2.3.112/24">1.2.3.112/24</a> -o ens33 -m policy --dir out --pol ipsec -j ACCEPT</div><div>-A POSTROUTING -s <a href="http://1.2.3.112/24">1.2.3.112/24</a> -o ens33 -j MASQUERADE</div><div>-A POSTROUTING -s <a href="http://1.2.3.112/24">1.2.3.112/24</a> -o ens33 -m policy --dir out --pol ipsec -j ACCEPT</div><div>-A POSTROUTING -s <a href="http://1.2.3.112/24">1.2.3.112/24</a> -o ens33 -j MASQUERADE</div><div>COMMIT</div><div># Completed on Mon Mar 12 14:22:04 2018</div><div># Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018</div><div>*filter</div><div>:INPUT ACCEPT [74:14670]</div><div>:FORWARD ACCEPT [0:0]</div><div>:OUTPUT ACCEPT [215:33304]</div><div>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</div><div>-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT</div><div>-A INPUT -i lo -j ACCEPT</div><div>-A INPUT -p udp -m udp --dport 500 -j ACCEPT</div><div>-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</div><div>-A FORWARD -s <a href="http://1.2.3.112/24">1.2.3.112/24</a> -m policy --dir in --pol ipsec --proto esp -j ACCEPT</div><div>-A FORWARD -d <a href="http://1.2.3.112/24">1.2.3.112/24</a> -m policy --dir out --pol ipsec --proto esp -j ACCEPT</div><div>-A FORWARD -s <a href="http://1.2.3.112/24">1.2.3.112/24</a> -m policy --dir in --pol ipsec --proto esp -j ACCEPT</div><div>-A FORWARD -d <a href="http://1.2.3.112/24">1.2.3.112/24</a> -m policy --dir out --pol ipsec --proto esp -j ACCEPT</div><div>COMMIT</div><div># Completed on Mon Mar 12 14:22:04 2018</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 8 March 2018 at 20:34, Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
Your iptables rules in the *nat table probably cause your issue.<br>
<br>
Take a look at the article about forwarding and split tunneling[1]. And stop using `iptables -L`, it doesn't show you everything. Always use `iptables-save` or `iptables-save -c` instead.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems" rel="noreferrer" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>ForwardingAndSplitTunneling#<wbr>General-NAT-problems</a><br>
<br>
On 07.03.2018 05:37, Brenden wrote:<br>
> Hi All,<br>
><br>
> I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS.<br>
><br>
> IPs chanaged for privacy:<br>
><br>
> My server IP 110.0.0.110<br>
> My subnet is <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a><br>
> Internal IP: 192.168.50.214<br>
> Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec)<br>
><br>
> The primary connection is currently not configured (its still running on<br>
> our hardware FW) but the secondary one has been re-configured with the<br>
> other peer and connection successfully establishes.<br>
><br>
> They can see our successful connection is up but can't see any traffic<br>
> being sent from our side.<br>
><br>
> I am running HAPROXY on my strongswans server which forwards traffic from<br>
> <a href="http://192.168.50.214:3333" rel="noreferrer" target="_blank">192.168.50.214:3333</a> to <a href="http://10.4.34.70:3333" rel="noreferrer" target="_blank">10.4.34.70:3333</a> (via IPSEC tunnel). I can't ping,<br>
> telnet, curl or do anything against this host.<br>
><br>
> I have this working in a legacy (undocumented environment on a Fortigate<br>
> FW), but that's being replaced.<br>
><br>
> # ipsec statusall<br>
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic,<br>
> x86_64):<br>
> uptime: 51 minutes, since Mar 07 13:21:13 2018<br>
> malloc: sbrk 2588672, mmap 0, used 588944, free 1999728<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,<br>
> scheduled: 7<br>
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random<br>
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp<br>
> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr<br>
> kernel-netlink resolve socket-default connmark farp stroke updown<br>
> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2<br>
> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2<br>
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic<br>
> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11<br>
> tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity<br>
> Listening IP addresses:<br>
> 110.0.0.110<br>
> 192.168.50.214<br>
> Connections:<br>
> ipsec-pri: 110.0.0.110...1.2.3.111 IKEv1, dpddelay=30s<br>
> ipsec-pri: local: uses pre-shared key authentication<br>
> ipsec-pri: remote: uses pre-shared key authentication<br>
> ipsec-pri: child: <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> === <a href="http://10.5.35.0/24" rel="noreferrer" target="_blank">10.5.35.0/24</a> TUNNEL,<br>
> dpdaction=restart<br>
> ipsec-sec: 110.0.0.110...1.2.3.112 IKEv1, dpddelay=30s<br>
> ipsec-sec: local: [110.0.0.110] uses pre-shared key authentication<br>
> ipsec-sec: remote: uses pre-shared key authentication<br>
> ipsec-sec: child: <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> === <a href="http://10.4.34.70/32" rel="noreferrer" target="_blank">10.4.34.70/32</a> <a href="http://10.4.34.71/32" rel="noreferrer" target="_blank">10.4.34.71/32</a><br>
> TUNNEL, dpdaction=restart<br>
> Security Associations (1 up, 0 connecting):<br>
> ipsec-sec[2]: ESTABLISHED 51 minutes ago,<br>
> 110.0.0.110[110.0.0.110]...1.<wbr>2.3.112[1.2.3.112]<br>
> ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r,<br>
> pre-shared key reauthentication in 22 hours<br>
> ipsec-sec[2]: IKE proposal:<br>
> 3DES_CBC/HMAC_SHA1_96/PRF_<wbr>HMAC_SHA1/MODP_1024<br>
> ipsec-sec{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i<br>
> 15dd64ce_o<br>
> ipsec-sec{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169<br>
> pkts, 1s ago), rekeying in 46 minutes<br>
> ipsec-sec{2}: <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> === <a href="http://10.4.34.70/32" rel="noreferrer" target="_blank">10.4.34.70/32</a><br>
><br>
><br>
> /etc/ipsec.conf file:<br>
> ##############################<wbr>####<br>
> conn ipsec-pri<br>
> ikelifetime=86400s<br>
> authby=secret<br>
> auto=start<br>
> keyexchange=ikev1<br>
> type=tunnel<br>
> left=110.0.0.110<br>
> leftid=%any<br>
> leftsubnet=<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a><br>
> right=1.2.3.111<br>
> rightid=%any<br>
> rightsubnet=<a href="http://10.5.35.0/24" rel="noreferrer" target="_blank">10.5.35.0/24</a><br>
> ike=3des-sha1-modp1024<br>
> esp=3des-sha1-modp1024<br>
> dpdaction=restart<br>
><br>
><br>
> conn ipsec-sec<br>
> ikelifetime=86400s<br>
> authby=secret<br>
> auto=start<br>
> keyexchange=ikev1<br>
> type=tunnel<br>
> left=110.0.0.110<br>
> leftid=%any<br>
> leftsubnet=<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a><br>
> right==1.2.3.112<br>
> rightid=%any<br>
> rightsubnet=<a href="http://10.4.34.70/32,10.4.34.71/32" rel="noreferrer" target="_blank">10.4.34.70/32,10.<wbr>4.34.71/32</a><br>
> ike=3des-sha1-modp1024<br>
> esp=3des-sha1-modp1024<br>
> dpdaction=restart<br>
> ##############################<wbr>####<br>
><br>
> ~# iptables -L<br>
> Chain INPUT (policy ACCEPT)<br>
> target prot opt source destination<br>
><br>
> Chain FORWARD (policy ACCEPT)<br>
> target prot opt source destination<br>
><br>
> Chain OUTPUT (policy ACCEPT)<br>
> target prot opt source destination<br>
><br>
> I've enabled forwarding in /etc/sysctl.conf<br>
> net.ipv4.ip_forward=1<br>
><br>
><br>
> I've been back and forth on this for a few months but just really stuck.<br>
><br>
> Any ideas on where i'm going wrong? I hope I've included enough info to<br>
> get pointed in the right direction.<br>
><br>
<br>
</blockquote></div><br></div></div></div>