<div dir="ltr"><div>As in this? </div><div><br></div><div># sudo iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s <a href="http://10.4.34.70/32">10.4.34.70/32</a> -j ACCEPT</div><div> # sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d <a href="http://10.4.34.70/32">10.4.34.70/32</a> -j ACCEPT</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 March 2018 at 23:22, Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">You need to accepts ESP packets in *filter INPUT (-p esp).<br>
<br>
On 12.03.2018 06:01, Brenden wrote:<br>
> I'm guessing my NAT rules may be messed up, any ideas what might be wrong?<br>
><br>
><br>
> # iptables-save<br>
> # Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018<br>
> *nat<br>
> :PREROUTING ACCEPT [14:1916]<br>
> :INPUT ACCEPT [14:1916]<br>
> :OUTPUT ACCEPT [37:2220]<br>
> :POSTROUTING ACCEPT [18:1080]<br>
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT<br>
> -A POSTROUTING -s <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -o ens33 -m policy --dir out --pol ipsec -j ACCEPT<br>
> -A POSTROUTING -s <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -o ens33 -j MASQUERADE<br>
> -A POSTROUTING -s <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -o ens33 -m policy --dir out --pol ipsec -j ACCEPT<br>
> -A POSTROUTING -s <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -o ens33 -j MASQUERADE<br>
> COMMIT<br>
> # Completed on Mon Mar 12 14:22:04 2018<br>
> # Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018<br>
> *filter<br>
> :INPUT ACCEPT [74:14670]<br>
> :FORWARD ACCEPT [0:0]<br>
> :OUTPUT ACCEPT [215:33304]<br>
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT<br>
> -A INPUT -i lo -j ACCEPT<br>
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT<br>
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT<br>
> -A FORWARD -s <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -m policy --dir in --pol ipsec --proto esp -j ACCEPT<br>
> -A FORWARD -d <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -m policy --dir out --pol ipsec --proto esp -j ACCEPT<br>
> -A FORWARD -s <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -m policy --dir in --pol ipsec --proto esp -j ACCEPT<br>
> -A FORWARD -d <a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">1.2.3.112/24</a> <<a href="http://1.2.3.112/24" rel="noreferrer" target="_blank">http://1.2.3.112/24</a>> -m policy --dir out --pol ipsec --proto esp -j ACCEPT<br>
> COMMIT<br>
> # Completed on Mon Mar 12 14:22:04 2018<br>
><br>
><br>
> On 8 March 2018 at 20:34, Noel Kuntze <noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting <mailto:<a href="mailto:noel.kuntze%2Bstrongswan-users-ml@thermi.consulting">noel.kuntze+<wbr>strongswan-users-ml@thermi.<wbr>consulting</a>>> wrote:<br>
><br>
> Hi,<br>
><br>
> Your iptables rules in the *nat table probably cause your issue.<br>
><br>
> Take a look at the article about forwarding and split tunneling[1]. And stop using `iptables -L`, it doesn't show you everything. Always use `iptables-save` or `iptables-save -c` instead.<br>
><br>
> Kind regards<br>
><br>
> Noel<br>
><br>
> [1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems" rel="noreferrer" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>ForwardingAndSplitTunneling#<wbr>General-NAT-problems</a> <<a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems" rel="noreferrer" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>ForwardingAndSplitTunneling#<wbr>General-NAT-problems</a>><br>
><br>
> On 07.03.2018 05:37, Brenden wrote:<br>
> > Hi All,<br>
> ><br>
> > I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS.<br>
> ><br>
> > IPs chanaged for privacy:<br>
> ><br>
> > My server IP 110.0.0.110<br>
> > My subnet is <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> <<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">http://110.0.0.0/25</a>><br>
> > Internal IP: 192.168.50.214<br>
> > Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec)<br>
> ><br>
> > The primary connection is currently not configured (its still running on<br>
> > our hardware FW) but the secondary one has been re-configured with the<br>
> > other peer and connection successfully establishes.<br>
> ><br>
> > They can see our successful connection is up but can't see any traffic<br>
> > being sent from our side.<br>
> ><br>
> > I am running HAPROXY on my strongswans server which forwards traffic from<br>
> > <a href="http://192.168.50.214:3333" rel="noreferrer" target="_blank">192.168.50.214:3333</a> <<a href="http://192.168.50.214:3333" rel="noreferrer" target="_blank">http://192.168.50.214:3333</a>> to <a href="http://10.4.34.70:3333" rel="noreferrer" target="_blank">10.4.34.70:3333</a> <<a href="http://10.4.34.70:3333" rel="noreferrer" target="_blank">http://10.4.34.70:3333</a>> (via IPSEC tunnel). I can't ping,<br>
> > telnet, curl or do anything against this host.<br>
> ><br>
> > I have this working in a legacy (undocumented environment on a Fortigate<br>
> > FW), but that's being replaced.<br>
> ><br>
> > # ipsec statusall<br>
> > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic,<br>
> > x86_64):<br>
> > uptime: 51 minutes, since Mar 07 13:21:13 2018<br>
> > malloc: sbrk 2588672, mmap 0, used 588944, free 1999728<br>
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,<br>
> > scheduled: 7<br>
> > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random<br>
> > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp<br>
> > dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr<br>
> > kernel-netlink resolve socket-default connmark farp stroke updown<br>
> > eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2<br>
> > eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2<br>
> > eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic<br>
> > xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11<br>
> > tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity<br>
> > Listening IP addresses:<br>
> > 110.0.0.110<br>
> > 192.168.50.214<br>
> > Connections:<br>
> > ipsec-pri: 110.0.0.110...1.2.3.111 IKEv1, dpddelay=30s<br>
> > ipsec-pri: local: uses pre-shared key authentication<br>
> > ipsec-pri: remote: uses pre-shared key authentication<br>
> > ipsec-pri: child: <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> <<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">http://110.0.0.0/25</a>> === <a href="http://10.5.35.0/24" rel="noreferrer" target="_blank">10.5.35.0/24</a> <<a href="http://10.5.35.0/24" rel="noreferrer" target="_blank">http://10.5.35.0/24</a>> TUNNEL,<br>
> > dpdaction=restart<br>
> > ipsec-sec: 110.0.0.110...1.2.3.112 IKEv1, dpddelay=30s<br>
> > ipsec-sec: local: [110.0.0.110] uses pre-shared key authentication<br>
> > ipsec-sec: remote: uses pre-shared key authentication<br>
> > ipsec-sec: child: <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> <<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">http://110.0.0.0/25</a>> === <a href="http://10.4.34.70/32" rel="noreferrer" target="_blank">10.4.34.70/32</a> <<a href="http://10.4.34.70/32" rel="noreferrer" target="_blank">http://10.4.34.70/32</a>> <a href="http://10.4.34.71/32" rel="noreferrer" target="_blank">10.4.34.71/32</a> <<a href="http://10.4.34.71/32" rel="noreferrer" target="_blank">http://10.4.34.71/32</a>><br>
> > TUNNEL, dpdaction=restart<br>
> > Security Associations (1 up, 0 connecting):<br>
> > ipsec-sec[2]: ESTABLISHED 51 minutes ago,<br>
> > 110.0.0.110[110.0.0.110]...1.<wbr>2.3.112[1.2.3.112]<br>
> > ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r,<br>
> > pre-shared key reauthentication in 22 hours<br>
> > ipsec-sec[2]: IKE proposal:<br>
> > 3DES_CBC/HMAC_SHA1_96/PRF_<wbr>HMAC_SHA1/MODP_1024<br>
> > ipsec-sec{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i<br>
> > 15dd64ce_o<br>
> > ipsec-sec{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169<br>
> > pkts, 1s ago), rekeying in 46 minutes<br>
> > ipsec-sec{2}: <a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> <<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">http://110.0.0.0/25</a>> === <a href="http://10.4.34.70/32" rel="noreferrer" target="_blank">10.4.34.70/32</a> <<a href="http://10.4.34.70/32" rel="noreferrer" target="_blank">http://10.4.34.70/32</a>><br>
> ><br>
> ><br>
> > /etc/ipsec.conf file:<br>
> > ##############################<wbr>####<br>
> > conn ipsec-pri<br>
> > ikelifetime=86400s<br>
> > authby=secret<br>
> > auto=start<br>
> > keyexchange=ikev1<br>
> > type=tunnel<br>
> > left=110.0.0.110<br>
> > leftid=%any<br>
> > leftsubnet=<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> <<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">http://110.0.0.0/25</a>><br>
> > right=1.2.3.111<br>
> > rightid=%any<br>
> > rightsubnet=<a href="http://10.5.35.0/24" rel="noreferrer" target="_blank">10.5.35.0/24</a> <<a href="http://10.5.35.0/24" rel="noreferrer" target="_blank">http://10.5.35.0/24</a>><br>
> > ike=3des-sha1-modp1024<br>
> > esp=3des-sha1-modp1024<br>
> > dpdaction=restart<br>
> ><br>
> ><br>
> > conn ipsec-sec<br>
> > ikelifetime=86400s<br>
> > authby=secret<br>
> > auto=start<br>
> > keyexchange=ikev1<br>
> > type=tunnel<br>
> > left=110.0.0.110<br>
> > leftid=%any<br>
> > leftsubnet=<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">110.0.0.0/25</a> <<a href="http://110.0.0.0/25" rel="noreferrer" target="_blank">http://110.0.0.0/25</a>><br>
> > right==1.2.3.112<br>
> > rightid=%any<br>
> > rightsubnet=<a href="http://10.4.34.70/32,10.4.34.71/32" rel="noreferrer" target="_blank">10.4.34.70/32,10.<wbr>4.34.71/32</a> <<a href="http://10.4.34.70/32,10.4.34.71/32" rel="noreferrer" target="_blank">http://10.4.34.70/32,10.4.34.<wbr>71/32</a>><br>
> > ike=3des-sha1-modp1024<br>
> > esp=3des-sha1-modp1024<br>
> > dpdaction=restart<br>
> > ##############################<wbr>####<br>
> ><br>
> > ~# iptables -L<br>
> > Chain INPUT (policy ACCEPT)<br>
> > target prot opt source destination<br>
> ><br>
> > Chain FORWARD (policy ACCEPT)<br>
> > target prot opt source destination<br>
> ><br>
> > Chain OUTPUT (policy ACCEPT)<br>
> > target prot opt source destination<br>
> ><br>
> > I've enabled forwarding in /etc/sysctl.conf<br>
> > net.ipv4.ip_forward=1<br>
> ><br>
> ><br>
> > I've been back and forth on this for a few months but just really stuck.<br>
> ><br>
> > Any ideas on where i'm going wrong? I hope I've included enough info to<br>
> > get pointed in the right direction.<br>
> ><br>
><br>
><br>
<br>
</blockquote></div><br></div></div>