[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Rene Bartsch
ml at bartschnet.de
Sun Feb 13 21:42:32 CET 2011
On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
<danielml+mailinglists.strongswan at sent.com> wrote:
> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>> After removing "leftfirewall=yes" from ipsec.conf and adding the
incoming
>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually,
>> it
>> seems to work.
>
> That's strange. Can you save the output of "iptables-save" in both cases
> and run a diff against both files to see what's the difference?
>
I've attached the output of "ip -4 a", iptables-save of working and
non-working setup and a diff.
xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS server
xxx.xxx.xxx.102: eth0:0 secondary public IP of Ubuntu 10.04.2 LTS server
(IPSec connection)
192.168.176.1: dummy0 Test for virtual servers
eth0: 1000Base-T internet-uplink
eth1: unused
Fritzbox config (default: aggressive mode and NAT-T enabled):
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "xxx.xxx.xxx.102";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = xxx.xxx.xxx.102;
remote_virtualip = 0.0.0.0;
localid {
fqdn = "xxx.dnsalias.net";
}
remoteid {
ipaddr = xxx.xxx.xxx.102;
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "xxxxxxxxxxxxxxxxxxxx";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.177.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.176.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.176.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Best regards,
Renne
-------------- next part --------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc prio state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP qlen 1000
inet xxx.xxx.xxx.20/24 brd xxx.xxx.xxx.255 scope global eth0
inet xxx.xxx.xxx.102/24 brd xxx.xxx.xxx.255 scope global secondary eth0:0
4: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc prio state UNKNOWN
inet 192.168.176.1/24 brd 192.168.176.255 scope global dummy0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables.save.working
Type: text/x-c++
Size: 6102 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110213/5c13f24b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables.save.not-working
Type: text/x-c++
Size: 6176 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110213/5c13f24b/attachment-0001.bin>
-------------- next part --------------
--- iptables.save.working 2011-02-13 21:18:55.312905234 +0100
+++ iptables.save.not-working 2011-02-13 21:23:31.475403173 +0100
@@ -7,13 +7,13 @@
eth1: unused
-# Generated by iptables-save v1.4.4 on Sun Feb 13 20:53:08 2011
+# Generated by iptables-save v1.4.4 on Sun Feb 13 21:08:03 2011
*mangle
-:PREROUTING ACCEPT [1033337:88572817]
-:INPUT ACCEPT [1030464:88159548]
+:PREROUTING ACCEPT [1043039:89521051]
+:INPUT ACCEPT [1039944:89073990]
:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [1088515:1531960932]
-:POSTROUTING ACCEPT [1088515:1531960932]
+:OUTPUT ACCEPT [1096710:1532915142]
+:POSTROUTING ACCEPT [1096710:1532915142]
-A POSTROUTING -o lo -p icmp -m comment --comment "Traffic-shaping Interface: lo Type: ICMP" -j CLASSIFY --set-class 0001:0001
-A POSTROUTING -o lo -p tcp -m comment --comment "Traffic-shaping Interface: lo Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0001:0003
-A POSTROUTING -o lo -m comment --comment "Traffic-shaping Interface: lo Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0001:0004
@@ -27,12 +27,12 @@
-A POSTROUTING -o dummy0 -p tcp -m comment --comment "Traffic-shaping Interface: dummy0 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0004:0003
-A POSTROUTING -o dummy0 -m comment --comment "Traffic-shaping Interface: dummy0 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0004:0004
COMMIT
-# Completed on Sun Feb 13 20:53:08 2011
-# Generated by iptables-save v1.4.4 on Sun Feb 13 20:53:08 2011
+# Completed on Sun Feb 13 21:08:03 2011
+# Generated by iptables-save v1.4.4 on Sun Feb 13 21:08:03 2011
*filter
-:INPUT DROP [960:109842]
+:INPUT DROP [7:420]
:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [1088513:1531960805]
+:OUTPUT ACCEPT [69:19830]
-A INPUT -i lo -m comment --comment "ACCEPT loopback device" -j ACCEPT
-A INPUT -i dummy0 -m comment --comment "ACCEPT dummy0 device" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "ACCEPT existing connections" -j ACCEPT
@@ -47,7 +47,6 @@
-A INPUT -d xxx.xxx.xxx.102/32 -p esp -m comment --comment "ACCEPT IPSec ESP" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -m policy --dir in --pol ipsec -m comment --comment "ACCEPT IPSec secured packets" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -p udp -m udp --dport 500 -m comment --comment "ACCEPT IPSec IKE" -j ACCEPT
--A INPUT -s 192.168.177.0/24 -d 192.168.176.0/24 -m policy --dir in --pol ipsec --reqid 16385 --proto esp -m comment --comment "ACCEPT IPSec secured packets" -j ACCEPT
-A INPUT -m state --state NEW -m recent --set --name DEFAULT --rsource -m comment --comment "Store connection requests"
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 240 --hitcount 10 --name DEFAULT --rsource -m comment --comment "DROP SSH Brute-Force-Attacks" -j DROP
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "ACCEPT SSH connections" -j ACCEPT
@@ -57,8 +56,10 @@
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 53 -m state --state NEW -m comment --comment "ACCEPT DNS TCP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "ACCEPT HTTP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 443 -m state --state NEW -m comment --comment "ACCEPT HTTPS connections" -j ACCEPT
+-A FORWARD -s 192.168.177.0/24 -d 192.168.176.0/24 -i eth0:0 -m policy --dir in --pol ipsec --reqid 16385 --proto esp -j ACCEPT
+-A FORWARD -s 192.168.176.0/24 -d 192.168.177.0/24 -o eth0:0 -m policy --dir out --pol ipsec --reqid 16385 --proto esp -j ACCEPT
COMMIT
-# Completed on Sun Feb 13 20:53:08 2011
+# Completed on Sun Feb 13 21:08:03 2011
# ipsec.conf - strongSwan IPsec configuration file
@@ -82,7 +83,7 @@
conn frankfurt-giessen
left=xxx.xxx.xxx.102
leftsubnet=192.168.176.0/24
- #leftfirewall=yes
+ leftfirewall=yes
#
ike=aes128-sha-modp1024
esp=aes128-sha1
More information about the Users
mailing list