[strongSwan] ipsec tunnels iptables rules, masquerading.

Richard Marshall richard.marshall at tagman.com
Mon May 28 13:13:47 CEST 2012 

Hi,

I've been struggling with this problem for a while now and really need to get it resolved.

I have established an ipsec tunnel(s) from strongswan, left to what I believe is a cisco router, right (I don't have access – it's with a managed provider, softlayer). The right hosts are behind a snat, so I configure a specific translation address I am able to connect from right hosts to left hosts, so I know the tunnel is working. However I am unable to connect from left hosts to right. I believe the issue sits somewhere between IPSEC and IPtables but I'm unable to resolve the issue.

Essentially, when I connect from left to right it appears the packets are not being tunnelled but instead going out unencrypted. I can see relevant ip xfrm policies but they don't appear to get matched. When I ping from left to right I can see a relevant iptables counter increment once on the first ping but not for subsequent pings. (see iptables below)

I have 12 subnets on the right side so xfrm policies and ipsec.conf is fairly long winded so I have included relevant excerpts only. I should also add the strongswan server is in a heartbeat HA pair, so the last endpoint address is a secondary IP on the interface. (primary is .241 address, .249 is floating secondary).

Any help is much appreciated!

Regards

Richard

---------- ipsec.conf -----------

conn am0-am1
compress=no
authby=psk
        auth=esp
        left=83.223.223.249
        leftid=83.223.223.249
leftnexthop=83.223.223.249
        leftfirewall=yes
        right=173.192.252.19
rightid=173.192.252.19
pfs=yes
keyexchange=ikev1
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
auto=start

conn 12-subnet
leftsubnet=192.168.1.0/24
        rightsubnet=10.68.15.0/26
        also=am0-am1

-------- ipsec statusall 12-subnet ---------

000
000 "12-subnet": 192.168.1.0/24===83.223.223.249---83.223.223.249...173.192.252.19===10.68.15.0/26; erouted; eroute owner: #56
000 "12-subnet":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "12-subnet":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,26; interface: bond1;
000 "12-subnet":   newest ISAKMP SA: #45; newest IPsec SA: #56;
000 "12-subnet":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000 "12-subnet":   ESP proposal: 3DES_CBC/HMAC_SHA1/<Phase1>
000
000 #56: "12-subnet" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 3013s; newest IPSEC; eroute owner
000 #56: "12-subnet" esp.beace286 at 173.192.252.19 (0 bytes) esp.6e9a9b60 at 83.223.223.249 (0 bytes); tunnel
000 #45: "12-subnet" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 543s; newest ISAKMP
000 #40: "12-subnet" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 822s
000 #40: "12-subnet" esp.beace276 at 173.192.252.19 (0 bytes) esp.9796994b at 83.223.223.249 (0 bytes); tunnel
000

------- iptables –t nat ------------

iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 2717M packets, 151G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       0.0.0.0/0            173.192.252.19      to:83.223.223.249
   63  4316 SNAT       all  --  *      *       0.0.0.0/0            10.0.0.0/8          to:83.223.223.249
 149M 9058M MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain OUTPUT (policy ACCEPT 2900M packets, 174G bytes)
 pkts bytes target     prot opt in     out     source               destination


------- ip xfrm policy --------------

src 192.168.1.0/24 dst 10.68.15.0/26
dir out priority 2342
tmpl src 83.223.223.249 dst 173.192.252.19
proto esp reqid 16433 mode tunnel
src 10.68.15.0/26 dst 192.168.1.0/24
dir fwd priority 2342
tmpl src 173.192.252.19 dst 83.223.223.249
proto esp reqid 16433 mode tunnel
src 10.68.15.0/26 dst 192.168.1.0/24
dir in priority 2342
tmpl src 173.192.252.19 dst 83.223.223.249
proto esp reqid 16433 mode tunnel

----- ip xfrm state ---------------------

src 173.192.252.19 dst 83.223.223.249
proto esp spi 0x6e9a9b60 reqid 16433 mode tunnel
replay-window 32
auth hmac(sha1) 0x09ab8bd48d0895e54ad5d15b26a3e1880ca124c3
enc cbc(des3_ede) 0x8ee37adfdccefa3f579daa824508d2b80aea82a5afdb39fb
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 83.223.223.249 dst 173.192.252.19
proto esp spi 0xbeace276 reqid 16433 mode tunnel
replay-window 32
auth hmac(sha1) 0x662aba286f44c3843a90bf5f18bd4b9eda21bbf9
enc cbc(des3_ede) 0x5572b5a7f35b3ce3ef93895db3f4d2d7d06a73d42993668a
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 173.192.252.19 dst 83.223.223.249
proto esp spi 0x9796994b reqid 16433 mode tunnel
replay-window 32
auth hmac(sha1) 0x60fd58dd50ae73dd378e80789223b0c00f67008b
enc cbc(des3_ede) 0xda52049f27ad8ad877c22dce59674f417fad435f7604ec39
sel src 0.0.0.0/0 dst 0.0.0.0/0

---------- ip a ------------------------
bond1: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:22:19:6c:5c:07 brd ff:ff:ff:ff:ff:ff
    inet 83.223.223.241/28 brd 83.223.223.255 scope global bond1
    inet 83.223.223.249/28 brd 83.223.223.255 scope global secondary bond1

----------- traceroute to right host -------------

traceroute 10.68.15.6
traceroute to 10.68.15.6 (10.68.15.6), 30 hops max, 60 byte packets
 1  83.223.223.254 (83.223.223.254)  0.449 ms  0.446 ms  0.448 ms
 2  87.255.36.250 (87.255.36.250)  0.595 ms  0.627 ms  0.736 ms
^
 3  * * *





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120528/2c274b04/attachment.html>

More information about the Users mailing list