[strongSwan] existing traffic before strong swan

Marwil, Mark-P63354 Mark.Marwil at gdc4s.com
Sat Jul 10 09:43:26 CEST 2010 

I have a question about what happens if traffic is trying to be sent out
the interface strongswan uses while the tunnel is being established,
will this cause trouble?  I have an issue where some traffic goes
through the tunnel, but some does not.  My setup is configured like the
example 'nat before esp'  My firewall on moon is setup as shown below.  

I have iptables on moon setup to display traffic that is dropped, and
traffic that is not esp protocol should not be sent out eth0.  The
traffic that is not passed through the tunnel is response traffic to
communication initiated from Bob. The communication from Bob makes it to
Alice, but when Alice tries to respond, the response packets are blocked
when they try to make it out eth0 on moon, so it would appear they are
not going through the tunnel.

 I know the tunnel is established because alice pings bob through the
tunnel.  It is also an intermittent problem, because when I reboot moon,
sometimes the response packets will go through the tunnel, until I
reboot again, and sometimes, some response packets go through the tunnel
while others do not.

My ipsec.conf on moon is as follows
config setup
	plutodebug=control
	crlcheckinterval=180
	strictcrlpolicy=no
	charonstart=no

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1

conn host-net
	left=%defaultroute
	leftcert=moonCert.pem
	leftid=@moon.strongswan.org
	leftfirewall=yes
	right=192.168.6.1
	rightsubnet=0.0.0.0/0
	rightid=@sun.strongswan.org
	auto=start
	authyby=rsasig


My iptables rules on moon  are as follows:

		*nat
		:PREROUTING  ACCEPT [0:0] 
		:POSTROUTING ACCEPT [0:0]
		:OUTPUT      ACCEPT [0:0]

		# NAT traffic from host
		-A POSTROUTING -o eth0  -j MASQUERADE

		COMMIT

		*filter
		:INPUT       DROP [0:0]
		:FORWARD     DROP [0:0]
		:OUTPUT      DROP [0:0]

		# Allow local communication.
		-A INPUT  -i lo -j ACCEPT
		-A OUTPUT -o lo -j ACCEPT

		# forward traffic from host to POSTROUTING chain
		-A FORWARD -i eth1 -o eth0 -s 192.168.99.1 -j ACCEPT
		-A FORWARD -o eth1 -i eth0 -d 192.168.99.1 -j ACCEPT

		# Allow NTP
		-A INPUT -i eth1 -p udp --sport 123 -j ACCEPT
		-A OUTPUT -o eth1 -p udp --sport 123 -j ACCEPT

		# Allow DNS 
		-A INPUT -i eth1 -p udp --sport 53 -j ACCEPT
		-A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
		-A OUTPUT -o eth1 -p udp --sport 53 -j ACCEPT
		-A OUTPUT -o eth1 -p udp --dport 53 -j ACCEPT

		# Allow icmp traffic
		#-A FORWARD -i eth1 -p icmp -j ACCEPT
		#-A FORWARD -i eth0 -p icmp --icmp-type echo-reply -j
ACCEPT

		# Allow ssh forwarding
		-A INPUT -p tcp --dport 10794 -j ACCEPT
		-A OUTPUT -p tcp --sport 10794 -j ACCEPT

		# allow esp
		-A INPUT  -i eth0 -p 50 -j ACCEPT
		-A OUTPUT -o eth0 -p 50 -j ACCEPT

		# allow IKE
		-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j
ACCEPT
		-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j
ACCEPT
		
		# Log dropped traffic
		-A INPUT -j LOG --log-tcp-options --log-ip-options
--log-level warning --log-prefix "admin in:"
		-A FORWARD -j LOG --log-tcp-options --log-ip-options
--log-level warning --log-prefix "admin forward:"
		-A OUTPUT -j LOG --log-tcp-options --log-ip-options
--log-level warning --log-prefix "admin out:"

		COMMIT


Thanks for the help,
Mark Marwil


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100710/a29afa2d/attachment.html>

More information about the Users mailing list