[strongSwan] ipsec to VPS
Eric Y. Zhang
debiansid at gmail.com
Mon Dec 8 02:06:21 CET 2014
on client:
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.88.1 0.0.0.0 UG 0 0 0
wlan0
192.168.87.0 192.168.89.1 255.255.255.255 UGH 0 0 0
br-lan
192.168.88.0 0.0.0.0 255.255.255.0 U 0 0 0
wlan0
192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0
br-lan
root at YesRouter:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
delegate_input all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.87.0/24 192.168.89.0/24 policy match
dir
i
n pol ipsec reqid 1 proto 50
ACCEPT all -- 192.168.89.0/24 192.168.87.0/24 policy match
dir
o
ut pol ipsec reqid 1 proto 50
delegate_forward all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
delegate_output all -- 0.0.0.0/0 0.0.0.0/0
Chain delegate_forward (1 references)
target prot opt source destination
forwarding_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user
chai
n for forwarding */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ES
TABLISHED
zone_lan_forward all -- 0.0.0.0/0 0.0.0.0/0
zone_wan_forward all -- 0.0.0.0/0 0.0.0.0/0
reject all -- 0.0.0.0/0 0.0.0.0/0
Chain delegate_input (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
input_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user
chain
for
input */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ES
TABLISHED
syn_flood tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x0
2
zone_lan_input all -- 0.0.0.0/0 0.0.0.0/0
zone_wan_input all -- 0.0.0.0/0 0.0.0.0/0
Chain delegate_output (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
output_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user
chain
fo
r output */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ES
TABLISHED
zone_lan_output all -- 0.0.0.0/0 0.0.0.0/0
zone_wan_output all -- 0.0.0.0/0 0.0.0.0/0
Chain forwarding_lan_rule (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan_rule (1 references)
target prot opt source destination
Chain input_lan_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan_rule (1 references)
target prot opt source destination
Chain output_lan_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
Chain output_wan_rule (1 references)
target prot opt source destination
Chain reject (1 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-re
set
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-p
ort-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x0
2 limit: avg 25/sec burst 50
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_dest_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_forward (1 references)
target prot opt source destination
forwarding_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 /*
user
chain for forwarding */
zone_wan_dest_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /*
forw
arding lan -> wan */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
/*
Ac
cept port forwards */
zone_lan_dest_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_input (1 references)
target prot opt source destination
input_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user
chain
for input */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
/*
Ac
cept port redirections */
zone_lan_src_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_output (1 references)
target prot opt source destination
output_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user
chai
n for output */
zone_lan_dest_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_dest_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 /*
user
chain for forwarding */
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /*
Allo
w-Ping */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
/*
Ac
cept port forwards */
zone_wan_dest_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_input (1 references)
target prot opt source destination
input_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user
chain
for input */
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /*
Allo
w-DHCP-Renew */
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
/*
Ac
cept port redirections */
zone_wan_src_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_output (1 references)
target prot opt source destination
output_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user
chai
n for output */
zone_wan_dest_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_src_ACCEPT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
On Mon, Dec 8, 2014 at 7:24 AM, Eric Zhang <debiansid at gmail.com> wrote:
> This iptables rule should me on both sides of strongswan gateway and
> client?
>
>
> Sent from Mobile
>
>
> > On 2014年12月8日, at 02:18, Noel Kuntze <noel at familie-kuntze.de> wrote:
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Hello Eric,
> >
> > Please check if any iptables rules are dropping the packets. Also,
> please make sure any SNAT
> > or MASQUERADE rule does not match the traffic that is to be tunneled.
> >
> > You can do that using the "policy" match module in iptables.
> > The following MASQUERADE rule matches all traffic except IPsec traffic
> >
> > iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j
> MASQUERADE
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> >> Am 07.12.2014 um 13:30 schrieb Eric Y. Zhang:
> >> Hi all
> >> I need to setup an IPSec tunnel to my VPS which only has one public IP.
> >> so I add eth0.1 192.168.87.1/24 <http://192.168.87.1/24>, and follow
> the steps on http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/;
> and I can see ipsec tunnel is up on both sides.
> >>
> >> unabove[7]: ESTABLISHED 39 minutes ago,
> 192.168.88.101[user1]...192.99.70.158[192.99.xx.xx]
> >> runabove{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7f24174_i
> c2289fb5_o
> >> runabove{1}: 192.168.88.0/24 <http://192.168.88.0/24> ===
> 192.168.87.0/24 <http://192.168.87.0/24>
> >>
> >> but I can not ping 192.168.87.1 from my side(which is strongswan on
> openwrt)
> >>
> >> any help would be appreciated
> >>
> >>
> >>
> >> --
> >> Life is harsh
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> >
> > iQIcBAEBCAAGBQJUhJoMAAoJEDg5KY9j7GZYjlAP/izs4iLIFDBLCdt+blwmhRO8
> > ZsdxZBRkHVuT24iT+EVNr5E5y3rXqpEIdYVbd7rn7Q/itoAD7WyxDc85q1Y26JXE
> > Bg0E1FwdXc3Z4SU2+xsNBho2VKYRkft0twlDNGYIo3YyZlBMpOeD8lEPhwwJkKzX
> > 9V/pCO3wSb9vUyF/AxvxQKjFJM52Bn2OSA6TStiX8Ube8Tj4HfFlIYmVe2fHu2Vh
> > vUu6d7+YPDwGizxZX50kD590+ljpLfxlo7LV5dbBhIkWTBHCBAWgs6eo8u6Wr/zf
> > IwfxLexU+M+RE6pcSKiU+ry6nSJD99JDVVQN7d5AHdM4u4Mv5AKm7+8NA3XUHM6Q
> > rPb6g9mR2+0uaV7jUTII7Xr7fxBVLmQWgVmiNMIgLlzZauD346zAiIUycGn0U27t
> > pc5Xxsg+1tr00/4p/82nCQOh8StbSfTDO22sIL/gOhOCfm3fLg3jbsTq6eDSTQUb
> > +dc2++jKcsK6NGNm2Hm26eP+ncSi30ISnEgCCh/k71XVMOkEuTRzhXeiC3g+qL/C
> > LblRzRsN9oKLYvZXomqvl8Eihxy9AIXzD9eJ58EUNRRnF0AfM4qBfX3IkhWaUFrW
> > T6q+u4cB8Y427Gzwd5DZIuqbCdwaaaep7UCpkAsBow4lB+h8SmRSwx8LEFNj7qsW
> > Lz7dEj5nP8HThugVGSDd
> > =nSzv
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
--
Life is harsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141208/7138017e/attachment-0001.html>
More information about the Users
mailing list