[strongSwan] Routing Polices with IPTABLES not working

Adrian Milanoski amilanoski at rim.com
Sat Dec 8 23:54:58 CET 2012 

HI Martin,

I have no firewall with a DROP packet implemented and currently the packets are not being dropped they are being sent out the public interface where my only default route lies.

      * Do you have IP forwarding enabled on the VPN gateway?
        (/proc/sys/net/ipv4/ip_forward)
yes
      * Do you have a proper route on the gateway for the private
        network?
This I do not have. However every time I set a default route on the private network I cannot connect. I am going to try and manipulate the routing table to get this to work now instead of IPTABLES
      * Do the hosts on the network have a proper route over the gateway
        to the virtual IPs you assign?
Currently after the tunnel is established I can ping the private interface of the GW, but as soon as I go outside of that I try and ping lets say the default GW for the private network the packets get routed out my public interface and they are not NAT'd.


Regards,

Adrian Milanoski
Lab Administrator
BBOS WiFI VPN Dev. Security Testing 
Research In Motion Limited 
Tel.(289) 261-5801 | Cell: 647-289-6995
Email  amilanoski at rim.com




-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Friday, December 07, 2012 4:07 AM
To: Adrian Milanoski
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] Routing Polices with IPTABLES not working

Hi Adrian,

> Why is it so difficult to get these packets flowing from the tunnel to 
> the private network? I thought the certain commands were to add rules 
> in to the IPtables and remove them when the tunnel is torn down.

Unless you have a firewall with default DROP policies, you don't need any iptables entries. If you have a restrictive firewall, I'd recommend to open it for testing, and once it works, have a look at the leftfirewall ipsec.conf option.

      * Do you have IP forwarding enabled on the VPN gateway?
        (/proc/sys/net/ipv4/ip_forward)
      * Do you have a proper route on the gateway for the private
        network?
      * Do the hosts on the network have a proper route over the gateway
        to the virtual IPs you assign?

If this all looks OK, I'd try to analyze which packets get dropped (from VPN clients to your private network, or from your private network to the VPN clients?).

Regards
Martin



---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

More information about the Users mailing list