[strongSwan] Routing problems with IPsec but not L2TP/IPsec
Noel Kuntze
noel at familie-kuntze.de
Thu Apr 17 11:54:01 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
The pakets in POSTROUTING get ACCEPTed by your policy rule, before they can be SNATed. Take out the policy rule and it should work.
Also, look at this: http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
and this: http://inai.de/images/nf-packet-flow.png
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 17.04.2014 07:20, schrieb Patrick Shyvers:
> I’m trying to migrate from L2TP/IPsec to IPsec & IKE. L2TP/IPsec is working with strongswan, and I can access both my private subnet & the public internet through the VPN server. However, with IPsec & IKE I can only access my private subnet. My client is usually behind NAT, but from the strongswan documentation that should not be an issue.
>
>
>
> When testing IPsec, I flush my firewall and set everything to ACCEPT. Then I add the necessary POSTROUTING SNAT rule, which works fine with L2TP/IPsec. So I am fairly confident it is not an iptables problem.
>
>
>
> Establishing VPN connection is also not a problem, that goes over without a hitch. So I am suspecting there is a routing problem, but the routing tables are my biggest weakness on Linux, so I’m hoping I could get some thoughts from the strongswan community. It might also have to do with routing that happens inside strongswan- I’m still fuzzy on how much packet handling strongswan does.
>
>
>
> My interfaces are perhaps laid out unusually?
>
>
>
> venet0 - 127.0.0.1
>
> venet0:0 - <PUBLIC SERVER IP>
>
> venet0:1 - <PRIVATE VLAN>
>
>
>
> Ipsec.conf:
>
> conn IKEv1-PSK-NAT
>
> auto=add
>
> left=<PUBLIC SERVER IP>
>
> rightsourceip=10.1.0.1/23
>
> rightsubnet=10.1.0.0/23
>
> authby=xauthpsk
>
> keyexchange=ikev1
>
> leftcert=server.crt
>
> leftsubnet=0.0.0.0/0
>
> xauth=server
>
>
>
> Iptables:
>
> -A POSTROUTING -s 10.0.0.0/8 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
>
> -A POSTROUTING -s 10.0.0.0/8 -o venet0 -j SNAT --to-source <PUBLIC SERVER IP>
>
>
>
> # ip route list
>
> <VLAN SUBNET> dev venet0 proto kernel scope link src <VLAN IP>
>
> <ANOTHER VLAN> dev venet0 scope link metric 1002
>
> default dev venet0 scope link
>
> # ip route list table 220
>
> 10.1.0.2 via <CLIENT IP> dev venet0 proto static
>
>
>
> -Patrick
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTT6S5AAoJEDg5KY9j7GZYPZoP/2NGq2+mVvG9TLOpKm6sHCaz
o3yOWB7sr6gIRMMYTD8KGR+jG8D5gkvqFD9m0HJqgZQpbMdtenohNDWvJaE9tLOM
6VyCdvRXGHo/ZneNB8W3Dyzc9L1BJPA++gLk6PePzLZqFoUPf4aCC69uJmpTgWTc
3vToUxzKfTQb0jVz2oxB7j3Hz0UOodWWGlREO7KGdk07uxAN1fIWRPOOZ9iXu3lC
DZNNLd3PblERvZH/qlZYtClw9lPmfcUpTOcPvSOE33F/2MZfq00oNGJYhfuGNgTM
+RUR7LHlmRnuIxLZ0i8ufIy4KwIFvmsPXeeJg9macXOlsHCZMDKQRC0tUnoO5o4k
L/kOmSohz1tULjZsa3yPrShg29NsBlrN6VE2CIsaV/XnkNRHn8Ihp8aRRCKFsYUR
O1oqC2zx9Oo2bdd4qc44bT7nUc9I3VHErD7zsFGZ+UVIksGe9r11qu7EyrL7wrs+
kKjvHTOQZXZ/97p8L5qR/RAa6Cbe3nVRNwOuV5KSPmq3AcTBp7ACCHAYaxIOoad6
BqPBcZ2EazcWG0EYIL0YIDg97YMqT4ZIcgcH40gTj0b3Fcf31wPrZiZyIl0dtuZh
6gzJ06nR/iZiAUad26sAUhppkkTlkpMZhB7akyCt70uAOIBBn9Aw8p64DLFMFAkd
dyYGYO93PzQOuWt1Wht9
=OtNO
-----END PGP SIGNATURE-----
More information about the Users
mailing list