[strongSwan] VPN-Gateway on Internet-Gateway

Mon Mar 25 09:58:26 CET 2013

Hey at all,

I have some problems regarding strongswan. Maybe I get some help here.

I installed strongswan on a test-environment and all works great. After that I moved strongswan to a different server (production server) and now there are some problems.
I can still establish the vpn-tunnel, that works without any problems. But I cannot ping the local hosts from any remote hosts and vica versa.

I have to say that the production server is an internet-gateway at the same time. This internet-gateway has the following interfaces:

eth0 - network card for local-network (static ip: 10.0.1.1)
eth1 - network card for internet (ip is dynamically assigned by isp)

local-network: 10.0.0.0/255.255.0.0, different notation 10.0.0.0/16

Strongswan is configured (see ipsec.conf below) to assign ip's from the following range: 10.0.4.0/255.255.255.0, different notation 10.0.4.0/24

I use iptables for the firewall on this internet-gateway. The default policy is to drop all packets. See the rules below of iptables.

As I can see of "ipsec statusall", pings from remote-hosts to 10.0.1.1 increase the number of received bytes.
As I can also see of "ipsec statusall", pings from local-hosts to a vpn-client (e.g. 10.0.4.1) increase the number of sent bytes.
But for any reason the particular counter-direction is not working. So the ping does not work.

Any ideas what's going wrong here?

Thanks in advance!

Alex

Finally some excerpts from my logs:

-----------------------------------------------------
cat /proc/sys/net/ipv4/ip_forward
1
-----------------------------------------------------

-----------------------------------------------------
In strongswan.conf I configured strongswan to only listen on eth0-interface.

charon {
        interfaces_use = eth0
}

The command "ipsec statusall" states that strongswan that this paremeter is applied.

Listening IP addresses:
  10.0.1.1
-----------------------------------------------------

-----------------------------------------------------
# iptables rules

# constants
LAN_INTERFACE=eth0
WAN_INTERFACE=eth1
VPN_IP=10.0.1.1

# setting standard-policies
iptables --table filter --policy INPUT DROP
iptables --table filter --policy FORWARD DROP
iptables --table filter --policy OUTPUT DROP

# destination nat for vpn-traffic
iptables --append PREROUTING --table nat --in-interface ${WAN_INTERFACE} --protocol udp --dport 500 --jump DNAT --to-destination ${VPN_IP}:500
iptables --append PREROUTING --table nat --in-interface ${WAN_INTERFACE} --protocol udp --dport 4500 --jump DNAT --to-destination ${VPN_IP}:4500

# allow vpn-traffic for local-machine
iptables --append INPUT --table filter --in-interface ${WAN_INTERFACE} --protocol udp --destination-port 500 --jump ACCEPT
iptables --append INPUT --table filter --in-interface ${WAN_INTERFACE} --protocol udp --destination-port 4500 --jump ACCEPT

# allow all traffic to/from lan-interface for local machine
iptables --append INPUT --table filter --in-interface ${LAN_INTERFACE} --jump ACCEPT
iptables --append OUTPUT --table filter --out-interface ${LAN_INTERFACE} --jump ACCEPT

# allow all outgoing traffic from lan-interface to wan-interface
iptables --append FORWARD --table filter --in-interface ${LAN_INTERFACE} --out-interface ${WAN_INTERFACE} --match state --state NEW,ESTABLISHED,RELATED --jump ACCEPT

# allow all incoming traffic from wan-interface to lan-interface that is already is established from inside
iptables --append FORWARD --table filter --in-interface ${WAN_INTERFACE} --out-interface ${LAN_INTERFACE} --match state --state ESTABLISHED,RELATED --jump ACCEPT

# do network-address-translation (nat) to hide private addresses on public internet
iptables --append POSTROUTING --table nat --out-interface ${WAN_INTERFACE} --jump MASQUERADE
-----------------------------------------------------

-----------------------------------------------------
#ipsec.conf
conn %default
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no

conn vpn
        left=%any
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
        leftcert=certificate.pem
        right=%any
        rightsourceip=10.0.4.0/24
        rightdns=10.0.1.1
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add
-----------------------------------------------------

-----------------------------------------------------
#ip xfrm policy
src 10.0.4.1/32 dst 0.0.0.0/0
        dir fwd priority 1923 ptype main
        tmpl src 77.4.129.61 dst 10.0.1.1
                proto esp reqid 4 mode tunnel
src 10.0.4.1/32 dst 0.0.0.0/0
        dir in priority 1923 ptype main
        tmpl src 77.4.129.61 dst 10.0.1.1
                proto esp reqid 4 mode tunnel
src 0.0.0.0/0 dst 10.0.4.1/32
        dir out priority 1923 ptype main
        tmpl src 10.0.1.1 dst 77.4.129.61
                proto esp reqid 4 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
-----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130325/b836275e/attachment.html>