[strongSwan-dev] Passthrough and Modeconfig
William Bloom
william.bloom at kinetx.com
Mon Jul 26 22:13:44 CEST 2010
I've had some success configuring a VPN from a strongSwan gateway (left) to a Cisco ASA (right) using leftsourceiup=%modeconfig such that the leftsubnet can exchange traffic with the rightsubnet(s) using an SNAT rule on the left gateway (NAT'ing leftsubnet addresses to the modeconfig address assigned by the ASA). However, this only works when the right subnet is not 0.0.0.0/0 (cf the ikev1/passthrough example). When I specify rightsubnet as 0.0.0.0/0, the flow of 'ping' packets is as follows as observed on the left gateway (info obtained with '-j LOG' rules in iptables)...
1) An ICMP echo request appears in the FORWARD chain, coming in the left-facing interface.
2) An ESP packet appears in the OUT chain, coming from the left gateway and destined to the ASA via the ASA-facing interface.
3) An ESP packet appears in the IN chain, coming from the ASA via the ASA-facing interface and destined to the left gateway.
4) An ICMP echo reply appears in the FORWARD chain, coming in the ASA-facing interface and also out the same interface.
The last step is the problem. The FORWARD should be destined for the left-facing interface rather than the ASA-facing interface. This is as if the 0.0.0.0/0 policy were getting its hands on the ICMP echo reply and attempting to send it back to the ASA.
But I have passthrough configured, so this (such is my understanding of passthrough) shouldn't be happening. My ipsec.conf statements...
config setup
crlcheckinterval=0s
strictcrlpolicy=no
charonstart=no
# Pluto parameters
nat_traversal=yes
plutodebug=all
conn %default
mobike=no
keyexchange=ikev1
keyingtries=3
margintime=3m
ikelifetime=86400s
lifetime=3600s
pfs=no
authby=pubkey
ike=aes256-sha1-modp1024
esp=aes256-sha1
left=%defaultroute
right=10.249.0.137
leftsubnet=192.168.10.0/255.255.255.224
conn net-net
leftcert=whbtarget1.cer
leftid=@tve.gdc4s.com
leftsourceip=%modeconfig
rightid=@ciscoasa.hap.local
rightsubnet=0.0.0.0/0.0.0.0
lefthostaccess=yes
auto=start
conn pass
rightsubnet=192.168.10.0/255.255.255.224
type=passthrough
authby=never
auto=route
The XFRM policy table...
src 0.0.0.0/0 dst 192.168.200.150/32
dir in priority 2112
tmpl src 10.249.0.137 dst 172.16.1.2
proto esp reqid 16385 mode tunnel
src 192.168.10.0/27 dst 192.168.10.0/27
dir in priority 2245
src 192.168.200.150/32 dst 0.0.0.0/0
dir out priority 2112
tmpl src 172.16.1.2 dst 10.249.0.137
proto esp reqid 16385 mode tunnel
src 192.168.10.0/27 dst 192.168.10.0/27
dir out priority 2245
src 0.0.0.0/0 dst 192.168.200.150/32
dir fwd priority 2112
tmpl src 10.249.0.137 dst 172.16.1.2
proto esp reqid 16385 mode tunnel
src 192.168.10.0/27 dst 192.168.10.0/27
dir fwd priority 2245
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
My SNAT entry, in order to NAT before ESP (192.168.200.150 is the address assigned by the ASA)...
Chain PREROUTING (policy ACCEPT 15 packets, 1336 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 11 packets, 4948 bytes)
pkts bytes target prot opt in out source destination
4 336 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 to:192.168.200.150
Chain OUTPUT (policy ACCEPT 10 packets, 4940 bytes)
pkts bytes target prot opt in out source destination
The log entries produced by my iptables rules...
Jul 26 07:22:08 localhost kernel: from guest as FORWARD> IN=eth1 OUT=eth0 SRC=192.168.10.2 DST=192.168.199.151 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28480 SEQ=1
Jul 26 07:22:08 localhost kernel: to ASA as OUTPUT> IN= OUT=eth0 SRC=172.16.1.2 DST=10.249.0.137 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=29736 DF PROTO=UDP SPT=4500 DPT=4500 LEN=140
Jul 26 07:22:08 localhost kernel: from ASA as INPUT> IN=eth0 OUT= MAC=00:0c:29:fa:c2:d9:00:0c:29:2e:71:7d:08:00 SRC=10.249.0.137 DST=172.16.1.2 LEN=160 TOS=0x00 PREC=0x00 TTL=63 ID=37476 PROTO=UDP SPT=4500 DPT=4500 LEN=140
Jul 26 07:22:08 localhost kernel: from ASA as FORWARD> IN=eth0 OUT=eth0 SRC=192.168.199.151 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9315 PROTO=ICMP TYPE=0 CODE=0 ID=28480 SEQ=1
Note that if I substitute 192.168.10.0/27 for 0.0.0.0/0 as the rightsubnet in ipsec.conf, the final FORWARD entry above indeed uses eth1 as the OUT interface and pings are all replied properly.
What should I do to correct this configuration for use with rightsubnet=0.0.0.0/0??
Bill
More information about the Dev
mailing list