[strongSwan] ipsec to VPS

Eric Y. Zhang debiansid at gmail.com
Mon Dec 8 02:06:21 CET 2014


on client:
netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
0.0.0.0         192.168.88.1    0.0.0.0         UG        0 0          0
wlan0
192.168.87.0    192.168.89.1    255.255.255.255 UGH       0 0          0
br-lan
192.168.88.0    0.0.0.0         255.255.255.0   U         0 0          0
wlan0
192.168.89.0    0.0.0.0         255.255.255.0   U         0 0          0
br-lan
root at YesRouter:~# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
delegate_input  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.87.0/24      192.168.89.0/24      policy match
dir
i
n pol ipsec reqid 1 proto 50
ACCEPT     all  --  192.168.89.0/24      192.168.87.0/24      policy match
dir
o
ut pol ipsec reqid 1 proto 50
delegate_forward  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
delegate_output  all  --  0.0.0.0/0            0.0.0.0/0

Chain delegate_forward (1 references)
target     prot opt source               destination
forwarding_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* user
chai
n for forwarding */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate
RELATED,ES
TABLISHED
zone_lan_forward  all  --  0.0.0.0/0            0.0.0.0/0
zone_wan_forward  all  --  0.0.0.0/0            0.0.0.0/0
reject     all  --  0.0.0.0/0            0.0.0.0/0

Chain delegate_input (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
input_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* user
chain
for
input */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate
RELATED,ES
TABLISHED
syn_flood  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp
flags:0x17/0x0
2
zone_lan_input  all  --  0.0.0.0/0            0.0.0.0/0
zone_wan_input  all  --  0.0.0.0/0            0.0.0.0/0

Chain delegate_output (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
output_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* user
chain
fo
r output */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate
RELATED,ES
TABLISHED
zone_lan_output  all  --  0.0.0.0/0            0.0.0.0/0
zone_wan_output  all  --  0.0.0.0/0            0.0.0.0/0

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (1 references)
target     prot opt source               destination
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            reject-with
tcp-re
set
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with
icmp-p
ort-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp
flags:0x17/0x0
2 limit: avg 25/sec burst 50
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_dest_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /*
user
chain for forwarding */
zone_wan_dest_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0            /*
forw
arding lan -> wan */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
/*
Ac
cept port forwards */
zone_lan_dest_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* user
chain
for input */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
/*
Ac
cept port redirections */
zone_lan_src_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* user
chai
n for output */
zone_lan_dest_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_wan_dest_ACCEPT (3 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /*
user
chain for forwarding */
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 /*
Allo
w-Ping */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
/*
Ac
cept port forwards */
zone_wan_dest_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* user
chain
for input */
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68 /*
Allo
w-DHCP-Renew */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
/*
Ac
cept port redirections */
zone_wan_src_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* user
chai
n for output */
zone_wan_dest_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0

Chain zone_wan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

On Mon, Dec 8, 2014 at 7:24 AM, Eric Zhang <debiansid at gmail.com> wrote:

> This iptables rule should me on both sides of strongswan gateway and
> client?
>
>
> Sent from Mobile
>
>
> > On 2014年12月8日, at 02:18, Noel Kuntze <noel at familie-kuntze.de> wrote:
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Hello Eric,
> >
> > Please check if any iptables rules are dropping the packets. Also,
> please make sure any SNAT
> > or MASQUERADE rule does not match the traffic that is to be tunneled.
> >
> > You can do that using the "policy" match module in iptables.
> > The following MASQUERADE rule matches all traffic except IPsec traffic
> >
> > iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j
> MASQUERADE
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> >> Am 07.12.2014 um 13:30 schrieb Eric Y. Zhang:
> >> Hi all
> >> I need to setup an IPSec tunnel to my VPS which only has one public IP.
> >> so I add eth0.1 192.168.87.1/24 <http://192.168.87.1/24>, and follow
> the steps on http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/;
> and I can see ipsec tunnel is up on both sides.
> >>
> >> unabove[7]: ESTABLISHED 39 minutes ago,
> 192.168.88.101[user1]...192.99.70.158[192.99.xx.xx]
> >>    runabove{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c7f24174_i
> c2289fb5_o
> >>    runabove{1}:   192.168.88.0/24 <http://192.168.88.0/24> ===
> 192.168.87.0/24 <http://192.168.87.0/24>
> >>
> >> but I can not ping 192.168.87.1 from my side(which is strongswan on
> openwrt)
> >>
> >> any help would be appreciated
> >>
> >>
> >>
> >> --
> >> Life is harsh
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> >
> > iQIcBAEBCAAGBQJUhJoMAAoJEDg5KY9j7GZYjlAP/izs4iLIFDBLCdt+blwmhRO8
> > ZsdxZBRkHVuT24iT+EVNr5E5y3rXqpEIdYVbd7rn7Q/itoAD7WyxDc85q1Y26JXE
> > Bg0E1FwdXc3Z4SU2+xsNBho2VKYRkft0twlDNGYIo3YyZlBMpOeD8lEPhwwJkKzX
> > 9V/pCO3wSb9vUyF/AxvxQKjFJM52Bn2OSA6TStiX8Ube8Tj4HfFlIYmVe2fHu2Vh
> > vUu6d7+YPDwGizxZX50kD590+ljpLfxlo7LV5dbBhIkWTBHCBAWgs6eo8u6Wr/zf
> > IwfxLexU+M+RE6pcSKiU+ry6nSJD99JDVVQN7d5AHdM4u4Mv5AKm7+8NA3XUHM6Q
> > rPb6g9mR2+0uaV7jUTII7Xr7fxBVLmQWgVmiNMIgLlzZauD346zAiIUycGn0U27t
> > pc5Xxsg+1tr00/4p/82nCQOh8StbSfTDO22sIL/gOhOCfm3fLg3jbsTq6eDSTQUb
> > +dc2++jKcsK6NGNm2Hm26eP+ncSi30ISnEgCCh/k71XVMOkEuTRzhXeiC3g+qL/C
> > LblRzRsN9oKLYvZXomqvl8Eihxy9AIXzD9eJ58EUNRRnF0AfM4qBfX3IkhWaUFrW
> > T6q+u4cB8Y427Gzwd5DZIuqbCdwaaaep7UCpkAsBow4lB+h8SmRSwx8LEFNj7qsW
> > Lz7dEj5nP8HThugVGSDd
> > =nSzv
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>



-- 
Life is harsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141208/7138017e/attachment-0001.html>


More information about the Users mailing list