[strongSwan] Inter-tunnel routing
Paton, Andy
andy.paton at hp.com
Wed Jun 26 11:57:52 CEST 2013
Jeroen,
Have you enabled IPV4 forwarding on your gateway? I am using Ubuntu and the below settings worked for me:
To check if ipforwarding is off:
sysctl net.ipv4.ip_forward
If it is disabled you will get the following:
Net.ipv4.ip_forward = 0
To turn on... temporarilally (until the next reboot)..
sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward
Check that this has enabled by....
sysctl net.ipv4.ip_forward
You should get a '1' returned.
Then check to see if this had an impact on the gateway...
You may need to do:
sudo bash
[enter password]
Ipsec restart
If this works.... Then the next thing to do is enable ipforwaring permantly.
You will need to do:
sudo nano /etc/sysctl.conf
look for the following line and uncomment (remove the hash):
net.ipv4.ip_forward =1
Andy Paton
[HP]<http://www.hp.com/>
From: users-bounces+andy.paton=hp.com at lists.strongswan.org [mailto:users-bounces+andy.paton=hp.com at lists.strongswan.org] On Behalf Of Jeroen J.A.W. Hermans
Sent: 26 June 2013 10:31
To: users at lists.strongswan.org
Subject: [strongSwan] Inter-tunnel routing
Dear all,
I have a question about a test-scenario i am setting up.
I have two tunnels:
"rw" - laptop with Shrewsoft VPN client
ip: 192.168.2.1/32
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.39)
"51" - Draytek Vigor 2910 (no pc's connected to Vigor yet)
ip-range: 192.168.51.1/24
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.38)
The central location is a linux server running Strongswan 5.0.0:
ip-range: 192.168.0.1/24
external ip: xxx.xxx.xxx.xxx
When i ping from the "51" Draytek (itself) to 192.168.0.1 (Strongswan) it works.
When i ping from the "rw" laptop to 192.168.0.1 (Strongswan) it works
When i ping from the "rw" laptop to 192.168.51.1 (tunnel "51") i get no reply
When i ping from the "51" Draytek to 192.168.2.1 (tunnel "rw") i get no reply
I have policies in the Draytek and Shrewsoft laptop for all subnets. This can be seen in the tcpdump, where the packets for the remote subnet of the other tunnel arrive at the Strongswan, but are not forwarded.
I have included as much information as possible. I hope someone can help me with this problem.
Thank you very much.
Kind regards,
Jeroen Hermans
$ sudo ip route list table 220
192.168.2.1 via <first-hop-router> dev eth0 proto static src 192.168.0.1
192.168.51.0/24 via <first-hop-router> dev eth0 proto static src 192.168.0.1
$ sudo tcpdump -i eth0 not ip6 and not port 22 and not port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
"rw" pings one time to 192.168.0.1
11:11:40.410505 IP yyy.yyy.yyy.yyy.ipsec-nat-t > xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc8587ff2,seq=0x3), length 100
11:11:40.410572 IP 192.168.2.1 > 192.168.0.1: ICMP echo request, id 1, seq 234, length 40
11:11:40.410655 IP xxx.xxx.xxx.xxx.ipsec-nat-t > yyy.yyy.yyy.yyy.ipsec-nat-t: UDP-encap: ESP(spi=0xba5fa761,seq=0x3), length 100
"rw" pings one time to 192.168.51.1
11:11:43.377246 IP yyy.yyy.yyy.yyy.ipsec-nat-t > xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc04f2330,seq=0x2), length 100
11:11:43.377331 IP 192.168.2.1 > 192.168.51.1: ICMP echo request, id 1, seq 236, length 40
11:11:43.377367 IP 192.168.2.1 > 192.168.51.1: ICMP echo request, id 1, seq 236, length 40
$ sudo ip xfrm policy
src 192.168.51.0/24 dst 192.168.0.0/24
dir fwd priority 1859 ptype main
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
proto esp reqid 393 mode tunnel
src 192.168.51.0/24 dst 192.168.0.0/24
dir in priority 1859 ptype main
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
proto esp reqid 393 mode tunnel
src 192.168.0.0/24 dst 192.168.51.0/24
dir out priority 1859 ptype main
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
proto esp reqid 393 mode tunnel
src 192.168.2.1/32 dst 192.168.51.0/24
dir fwd priority 1827 ptype main
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
proto esp reqid 391 mode tunnel
src 192.168.2.1/32 dst 192.168.51.0/24
dir in priority 1827 ptype main
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
proto esp reqid 391 mode tunnel
src 192.168.51.0/24 dst 192.168.2.1/32
dir out priority 1827 ptype main
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
proto esp reqid 391 mode tunnel
src 192.168.2.1/32 dst 192.168.0.0/24
dir fwd priority 1827 ptype main
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
proto esp reqid 390 mode tunnel
src 192.168.2.1/32 dst 192.168.0.0/24
dir in priority 1827 ptype main
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
proto esp reqid 390 mode tunnel
src 192.168.0.0/24 dst 192.168.2.1/32
dir out priority 1827 ptype main
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
proto esp reqid 390 mode tunnel
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [518:38392]
:OUTPUT ACCEPT [39692:7545269]
-A INPUT -p tcp -m tcp --dport 443:453 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o eth0 -p esp -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [34286:3954457]
:INPUT ACCEPT [33100:3886019]
:FORWARD ACCEPT [518:38392]
:OUTPUT ACCEPT [39696:7546309]
:POSTROUTING ACCEPT [40214:7584701]
COMMIT
*nat
:PREROUTING ACCEPT [1646:110154]
:POSTROUTING ACCEPT [2019:153411]
:OUTPUT ACCEPT [1961:146461]
COMMIT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130626/f16cb3dd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3690 bytes
Desc: image001.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130626/f16cb3dd/attachment.png>
More information about the Users
mailing list