<div dir="ltr">Hi,<div>I found my problem: "rp_filter" for the vti interface was not set to 2.</div><div>No, I can establish correctly the connection and any request done by "vpn" user is going through it.</div><div><br></div><div>Currently, I still have a problem for keeping alive the connection...</div><div>Indeed, after several minutes, no way to use anymore the VPN (see new thread).</div><div><br></div><div>Gilles<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 28, 2018 at 3:03 PM, Gilles Printemps <span dir="ltr"><<a href="mailto:gprintemps@gmail.com" target="_blank">gprintemps@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div>After combining/executing the different scripts, I'm still not able to send something to the "vti" interface previously created.</div><div>Indeed, despite the different rules added, "vti" interface is receiving nothing. Seems I made something wrong in my different routes...</div><div>I will appreciate if someone can point me what's wrong in my config...</div><div><br></div><div>$ curl <a href="http://ipinfo.io" target="_blank">ipinfo.io</a> </div><div> Returns details from my ISP</div><div><br></div><div>$ sudo -u vpn -i -- curl <a href="http://ipinfo.io" target="_blank">ipinfo.io</a></div><div> Nothing is returned!!!</div><div><br></div><div>Thanks / BR Gilles</div><div><br></div><div>Routing tables</div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">Filter table:</font> </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">Chain INPUT (policy ACCEPT 910 packets, 68548 bytes)<br> pkts bytes target prot opt in out source destination<br> 0 0 ACCEPT all -- vti0 any anywhere anywhere ctstate ESTABLISHED<br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br>Chain OUTPUT (policy ACCEPT 651 packets, 85552 bytes)<br> pkts bytes target prot opt in out source destination<br> 32 2688 ACCEPT all -- any lo anywhere anywhere owner UID match vpn<br> 0 0 ACCEPT all -- any vti0 anywhere anywhere owner UID match vpn<br>Nat table:</font> </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">Chain PREROUTING (policy ACCEPT 2 packets, 160 bytes)<br> pkts bytes target prot opt in out source destination<br>Chain INPUT (policy ACCEPT 2 packets, 160 bytes)<br> pkts bytes target prot opt in out source destination<br>Chain OUTPUT (policy ACCEPT 13 packets, 1165 bytes)<br> pkts bytes target prot opt in out source destination<br>Chain POSTROUTING (policy ACCEPT 10 packets, 962 bytes)<br> pkts bytes target prot opt in out source destination<br> 3 203 MASQUERADE all -- any vti0 anywhere anywhere<br>Mangle table:<br>Chain PREROUTING (policy ACCEPT 914 packets, 68930 bytes)<br> pkts bytes target prot opt in out source destination<br>Chain INPUT (policy ACCEPT 912 packets, 68652 bytes)<br> pkts bytes target prot opt in out source destination<br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br>Chain OUTPUT (policy ACCEPT 685 packets, 88536 bytes)<br> pkts bytes target prot opt in out source destination<br> 685 88536 CONNMARK all -- any any anywhere anywhere CONNMARK restore<br> 74 8099 MARK all -- any any anywhere !10.211.55.3 owner UID match vpn MARK set 0x1<br> 64 5376 MARK all -- any any !10.211.55.3 anywhere MARK set 0x1<br> 685 88536 CONNMARK all -- any any anywhere anywhere CONNMARK save<br>Chain POSTROUTING (policy ACCEPT 706 packets, 90231 bytes)<br> pkts bytes target prot opt in out source destination</font></blockquote></div><div><br></div><div><font color="#000000"><span>ifconfig result</span></font></div><div class="gmail_extra"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font size="1" color="#3d85c6">enp0s5 Link encap:Ethernet HWaddr 00:1c:42:c0:02:e3<br></font><font size="1" color="#3d85c6"> inet addr:10.211.55.3 Bcast:10.211.55.255 Mask:255.255.255.0<br></font><font size="1" color="#3d85c6"> inet6 addr: fe80::21c:42ff:fec0:2e3/64 Scope:Link<br></font><font size="1" color="#3d85c6"> inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:<wbr>fec0:2e3/64 Scope:Global<br></font><font size="1" color="#3d85c6"> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br></font><font size="1" color="#3d85c6"> RX packets:4505 errors:0 dropped:0 overruns:0 frame:0<br></font><font size="1" color="#3d85c6"> TX packets:3059 errors:0 dropped:0 overruns:0 carrier:0<br></font><font size="1" color="#3d85c6"> collisions:0 txqueuelen:1000<br></font><font size="1" color="#3d85c6"> RX bytes:671940 (671.9 KB) TX bytes:491511 (491.5 KB)</font><font size="1" color="#3d85c6"><br></font><font size="1" color="#3d85c6">lo Link encap:Local Loopback<br></font><font size="1" color="#3d85c6"> inet addr:127.0.0.1 Mask:255.0.0.0<br></font><font size="1" color="#3d85c6"> inet6 addr: ::1/128 Scope:Host<br></font><font size="1" color="#3d85c6"> UP LOOPBACK RUNNING MTU:65536 Metric:1<br></font><font size="1" color="#3d85c6"> RX packets:247 errors:0 dropped:0 overruns:0 frame:0<br></font><font size="1" color="#3d85c6"> TX packets:247 errors:0 dropped:0 overruns:0 carrier:0<br></font><font size="1" color="#3d85c6"> collisions:0 txqueuelen:1<br></font><font size="1" color="#3d85c6"> RX bytes:21458 (21.4 KB) TX bytes:21458 (21.4 KB)</font><span class=""><font size="1" color="#3d85c6"><br></font><font size="1" color="#3d85c6">vti0 Link encap:IPIP Tunnel HWaddr<br></font></span><font size="1" color="#3d85c6"> inet addr:10.3.216.204 P-t-P:10.3.216.204 Mask:255.255.255.255<br></font><span class=""><font size="1" color="#3d85c6"> UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1<br></font><font size="1" color="#3d85c6"> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br></font><font size="1" color="#3d85c6"> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br></font><font size="1" color="#3d85c6"> collisions:0 txqueuelen:1<br></font><font size="1" color="#3d85c6"> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</font></span></blockquote><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">sudo ip route show table 200<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">default via 10.3.216.204 dev vti0<br></font><span class=""><font color="#3d85c6" size="1">default via 127.0.0.1 dev lo </font></span></blockquote></div><div class="gmail_quote"><br></div><div class="gmail_quote">sudo ip rule list<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">0: from all lookup local<br></font><font color="#3d85c6" size="1">219: from all fwmark 0x1 lookup vpn<br></font><font color="#3d85c6" size="1">220: from all lookup 220<br></font><font color="#3d85c6" size="1">32766: from all lookup main<br></font><font color="#3d85c6" size="1">32767: from all lookup default</font></blockquote></div><div class="gmail_quote"><br></div><div class="gmail_extra">/etc/strongswan.d/charon/<wbr>constraints.conf</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font size="1" color="#3d85c6">constraints {<br></font><font size="1" color="#3d85c6"> # Whether to load the plugin. Can also be an integer to increase the<br></font><font size="1" color="#3d85c6"> # priority of this plugin.<br></font><font size="1" color="#3d85c6"> load = no<br></font><font size="1" color="#3d85c6">}</font></blockquote><div><br></div><div> In /etc/strongswan.d/charon.conf</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">install_routes = no<br></font><font color="#3d85c6" size="1">install_virtual_ip = no</font></blockquote><div><br></div><div>In /etc/sysctl.conf</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><font color="#3d85c6" size="1">net.ipv4.ip_forward=1<br></font><font color="#3d85c6" size="1">net.ipv6.conf.all.forwarding=1</font></blockquote><div><br></div><div>Scripts for make rules/routes</div><div>/etc/<a href="http://ipsec.script.sh" target="_blank">ipsec.script.sh</a></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class=""><font color="#3d85c6" size="1">set -o nounset<br></font><font color="#3d85c6" size="1">set -o errexit</font><font color="#3d85c6" size="1"><br></font></span><font color="#3d85c6" size="1">VPN_USER="vpn"<br></font><font color="#3d85c6" size="1">VTI_INTERFACE="vti0"</font><span class=""><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1">case "${PLUTO_VERB}" in<br></font><font color="#3d85c6" size="1"> up-client)<br></font></span><font color="#3d85c6" size="1"> ip tunnel add "${VTI_INTERFACE}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \<br></font><span class=""><font color="#3d85c6" size="1"> okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"<br></font></span><font color="#3d85c6" size="1"> ip link set "${VTI_INTERFACE}" up<br></font><font color="#3d85c6" size="1"> sysctl -w "net.ipv4.conf.${VTI_<wbr>INTERFACE}.disable_policy=1"</font><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_INTERFACE}"<br></font><font color="#3d85c6" size="1"> if [[ `ip rule list | grep -c 0x1` == 0 ]]; then<br></font><font color="#3d85c6" size="1"> ip rule add from all fwmark 0x1 lookup $VPN_USER<br></font><font color="#3d85c6" size="1"> fi</font><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"> # Launch routing script<br></font><font color="#3d85c6" size="1"> /etc/<a href="http://ipsec.route.sh" target="_blank">ipsec.route.sh</a><br></font><font color="#3d85c6" size="1"> ;;<br></font><font color="#3d85c6" size="1"> down-client)<br></font><font color="#3d85c6" size="1"> ip tunnel del "${VTI_INTERFACE}"<br></font><font color="#3d85c6" size="1"> ;;<br></font><font color="#3d85c6" size="1">esac</font> </blockquote><div><br></div><div>/etc/<a href="http://ipsec.route.sh" target="_blank">ipsec.route.sh</a><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class=""><font color="#3d85c6" size="1">export TABLE_ID="vpn"<br></font><font color="#3d85c6" size="1">export VPN_USER="vpn"<br></font></span><font color="#3d85c6" size="1">export VTI_INTERFACE="vti0"<br></font><font color="#3d85c6" size="1">export LOCAL_IP="10.211.55.3"</font><span class=""><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"># Flush iptables rules<br></font><font color="#3d85c6" size="1">iptables -F -t nat<br></font><font color="#3d85c6" size="1">iptables -F -t mangle<br></font><font color="#3d85c6" size="1">iptables -F -t filter</font><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"># Mark packets from $VPN_USER<br></font></span><font color="#3d85c6" size="1">iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark<br></font><font color="#3d85c6" size="1">iptables -t mangle -A OUTPUT ! --dest $LOCAL_IP -m owner --uid-owner $VPN_USER -j MARK --set-mark 0x1<br></font><font color="#3d85c6" size="1">iptables -t mangle -A OUTPUT ! --src $LOCAL_IP -j MARK --set-mark 0x1<br></font><font color="#3d85c6" size="1">iptables -t mangle -A OUTPUT -j CONNMARK --save-mark</font><span class=""><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"># Deny $VPN_USER to access other interfaces than lo<br></font><font color="#3d85c6" size="1">iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP</font><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"># Allow $VPN_USER to access lo and VPN interfaces<br></font><font color="#3d85c6" size="1">iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT<br></font></span><font color="#3d85c6" size="1">iptables -A OUTPUT -o $VTI_INTERFACE -m owner --uid-owner $VPN_USER -j ACCEPT</font><span class=""><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"># Allow response from $VPN_INTERFACE<br></font></span><font color="#3d85c6" size="1">iptables -A INPUT -i $VTI_INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT</font><span class=""><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"># Masquarade packets on $VPN_INTERFACE<br></font></span><font color="#3d85c6" size="1">iptables -t nat -A POSTROUTING -o $VTI_INTERFACE -j MASQUERADE</font><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1"># Routing rules<br></font><font color="#3d85c6" size="1">GATEWAY=$(ifconfig $VTI_INTERFACE |<br></font><font color="#3d85c6" size="1"> egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' |<br></font><font color="#3d85c6" size="1"> egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{<wbr>1,3}\.[0-9]{1,3})' | tail -n1)</font><span class=""><font color="#3d85c6" size="1"><br></font><font color="#3d85c6" size="1">ip route replace default via $GATEWAY table $TABLE_ID<br></font><font color="#3d85c6" size="1">ip route append default via 127.0.0.1 dev lo table $TABLE_ID<br></font><font color="#3d85c6" size="1">ip route flush cache</font></span></blockquote></div></div></div>
</blockquote></div><br></div>