[strongSwan] Routing problems with IPsec but not L2TP/IPsec

Noel Kuntze noel at familie-kuntze.de
Thu Apr 17 11:54:01 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

The pakets in POSTROUTING get ACCEPTed by your policy rule, before they can be SNATed. Take out the policy rule and it should work.
Also, look at this: http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
and this: http://inai.de/images/nf-packet-flow.png

Regards,
Noel Kuntze


GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 17.04.2014 07:20, schrieb Patrick Shyvers:
> I’m trying to migrate from L2TP/IPsec to IPsec & IKE. L2TP/IPsec is working with strongswan, and I can access both my private subnet & the public internet through the VPN server. However, with IPsec & IKE I can only access my private subnet. My client is usually behind NAT, but from the strongswan documentation that should not be an issue.
> 
>  
> 
> When testing IPsec, I flush my firewall and set everything to ACCEPT. Then I add the necessary POSTROUTING SNAT rule, which works fine with L2TP/IPsec. So I am fairly confident it is not an iptables problem.
> 
>  
> 
> Establishing VPN connection is also not a problem, that goes over without a hitch. So I am suspecting there is a routing problem, but the routing tables are my biggest weakness on Linux, so I’m hoping I could get some thoughts from the strongswan community. It might also have to do with routing that happens inside strongswan- I’m still fuzzy on how much packet handling strongswan does.
> 
>  
> 
> My interfaces are perhaps laid out unusually?
> 
>  
> 
> venet0 - 127.0.0.1
> 
> venet0:0 - <PUBLIC SERVER IP>
> 
> venet0:1 - <PRIVATE VLAN>
> 
>  
> 
> Ipsec.conf:
> 
> conn IKEv1-PSK-NAT
> 
>         auto=add
> 
>         left=<PUBLIC SERVER IP>
> 
>         rightsourceip=10.1.0.1/23
> 
>         rightsubnet=10.1.0.0/23
> 
>         authby=xauthpsk
> 
>         keyexchange=ikev1
> 
>         leftcert=server.crt
> 
>         leftsubnet=0.0.0.0/0
> 
>         xauth=server
> 
>  
> 
> Iptables:
> 
> -A POSTROUTING -s 10.0.0.0/8 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
> 
> -A POSTROUTING -s 10.0.0.0/8 -o venet0 -j SNAT --to-source <PUBLIC SERVER IP>
> 
>  
> 
> # ip route list
> 
> <VLAN SUBNET> dev venet0  proto kernel  scope link  src <VLAN IP>
> 
> <ANOTHER VLAN> dev venet0  scope link  metric 1002
> 
> default dev venet0  scope link
> 
> # ip route list table 220
> 
> 10.1.0.2 via <CLIENT IP> dev venet0  proto static
> 
>  
> 
> -Patrick
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTT6S5AAoJEDg5KY9j7GZYPZoP/2NGq2+mVvG9TLOpKm6sHCaz
o3yOWB7sr6gIRMMYTD8KGR+jG8D5gkvqFD9m0HJqgZQpbMdtenohNDWvJaE9tLOM
6VyCdvRXGHo/ZneNB8W3Dyzc9L1BJPA++gLk6PePzLZqFoUPf4aCC69uJmpTgWTc
3vToUxzKfTQb0jVz2oxB7j3Hz0UOodWWGlREO7KGdk07uxAN1fIWRPOOZ9iXu3lC
DZNNLd3PblERvZH/qlZYtClw9lPmfcUpTOcPvSOE33F/2MZfq00oNGJYhfuGNgTM
+RUR7LHlmRnuIxLZ0i8ufIy4KwIFvmsPXeeJg9macXOlsHCZMDKQRC0tUnoO5o4k
L/kOmSohz1tULjZsa3yPrShg29NsBlrN6VE2CIsaV/XnkNRHn8Ihp8aRRCKFsYUR
O1oqC2zx9Oo2bdd4qc44bT7nUc9I3VHErD7zsFGZ+UVIksGe9r11qu7EyrL7wrs+
kKjvHTOQZXZ/97p8L5qR/RAa6Cbe3nVRNwOuV5KSPmq3AcTBp7ACCHAYaxIOoad6
BqPBcZ2EazcWG0EYIL0YIDg97YMqT4ZIcgcH40gTj0b3Fcf31wPrZiZyIl0dtuZh
6gzJ06nR/iZiAUad26sAUhppkkTlkpMZhB7akyCt70uAOIBBn9Aw8p64DLFMFAkd
dyYGYO93PzQOuWt1Wht9
=OtNO
-----END PGP SIGNATURE-----

More information about the Users mailing list