[strongSwan] Routing problems with IPsec but not L2TP/IPsec

Patrick Shyvers pshyvers at amitto.com
Fri Apr 18 02:30:58 CEST 2014 

Honestly I’m not sure what I’m looking for. I can’t get TRACE to work on my machine, so I’m using LOG, something like this:

*nat
-A POSTROUTING  -s 10.0.0.0/8 -j LOG --log-prefix "ipsec: " --log-level 4
-A POSTROUTING -s 10.0.0.0/8 -o venet0 -j SNAT --to-source 199.195.249.228
COMMIT

*raw
-A PREROUTING -s 162.217.114.56 -j LOG --log-prefix "ipsec: " --log-level 4
-A PREROUTING -s 8.8.8.8 -j LOG --log-prefix "ipsec: " --log-level 4
COMMIT

*filter
-A INPUT -s 162.217.114.56 -j LOG --log-prefix "ipsec: " --log-level 4
-A FORWARD -s 162.217.114.56 -j LOG --log-prefix "ipsec: " --log-level 4
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT

But this is all I get:

ipsec: IN= OUT=venet0 SRC=10.1.0.2 DST=162.217.114.56 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16333 DF PROTO=TCP SPT=43250 DPT=80 WIND
ipsec: IN= OUT=venet0 SRC=10.1.0.2 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=15783 DF PROTO=UDP SPT=60454 DPT=53 LEN=45

(That's a HTTP request to dlang.org, and a DNS request to Google's 8.8.8.8)

Then of course, here's the L2TP/IPsec version with the same LOG rules:

ipsec: IN= OUT=venet0 SRC=10.1.0.3 DST=162.217.114.56 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9921 DF PROTO=TCP SPT=46692 DPT=80 WINDOW=13600 RES=0x00 SYN URGP=0
ipsec: IN=venet0 OUT= MAC= SRC=162.217.114.56 DST=<PUBLIC_IP> LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=25206 DF PROTO=TCP SPT=80 DPT=46692 WINDOW=65535 RES=0x00 ACK SYN URGP=0
ipsec: IN=venet0 OUT=ppp1 SRC=162.217.114.56 DST=10.1.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=25206 DF PROTO=TCP SPT=80 DPT=46692 WINDOW=65535 RES=0x00 ACK SYN URGP=0

Here's the crazy part- to get L2TP/IPsec working again, I have to REMOVE the "-A INPUT -j ACCEPT" and the "-A FORWARD -j ACCEPT" and let packets go through my regular filter. That I do not understand. Potential light though, as it suggests a potential direction. Though if the right rule isn't ACCEPT, lord knows what it is.

Here's the important parts of my regular filter:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -i ppp+ -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

-Patrick

More information about the Users mailing list