[strongSwan] ipsec to VPS
Noel Kuntze
noel at familie-kuntze.de
Mon Dec 8 09:34:09 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Eric,
Please post the output of "stables-save" of the gateway and client.
It is much more easily readable than the output of "iptables -Ln" and
includes all tables.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 08.12.2014 um 02:06 schrieb Eric Y. Zhang:
> on client:
> netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 0.0.0.0 192.168.88.1 0.0.0.0 UG 0 0 0 wlan0
> 192.168.87.0 192.168.89.1 255.255.255.255 UGH 0 0 0 br-lan
> 192.168.88.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
> 192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
> root at YesRouter:~# iptables -nL
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> delegate_input all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- 192.168.87.0/24 <http://192.168.87.0/24> 192.168.89.0/24 <http://192.168.89.0/24> policy match dir i n pol ipsec reqid 1 proto 50
> ACCEPT all -- 192.168.89.0/24 <http://192.168.89.0/24> 192.168.87.0/24 <http://192.168.87.0/24> policy match dir o ut pol ipsec reqid 1 proto 50
> delegate_forward all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> delegate_output all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain delegate_forward (1 references)
> target prot opt source destination
> forwarding_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chai n for forwarding */
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate RELATED,ES TABLISHED
> zone_lan_forward all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> zone_wan_forward all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> reject all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain delegate_input (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> input_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for input */
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate RELATED,ES TABLISHED
> syn_flood tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp flags:0x17/0x0 2
> zone_lan_input all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> zone_wan_input all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain delegate_output (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> output_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain fo r output */
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate RELATED,ES TABLISHED
> zone_lan_output all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> zone_wan_output all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain forwarding_lan_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_rule (1 references)
> target prot opt source destination
>
> Chain forwarding_wan_rule (1 references)
> target prot opt source destination
>
> Chain input_lan_rule (1 references)
> target prot opt source destination
>
> Chain input_rule (1 references)
> target prot opt source destination
>
> Chain input_wan_rule (1 references)
> target prot opt source destination
>
> Chain output_lan_rule (1 references)
> target prot opt source destination
>
> Chain output_rule (1 references)
> target prot opt source destination
>
> Chain output_wan_rule (1 references)
> target prot opt source destination
>
> Chain reject (1 references)
> target prot opt source destination
> REJECT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with tcp-re set
> REJECT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-p ort-unreachable
>
> Chain syn_flood (1 references)
> target prot opt source destination
> RETURN tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp flags:0x17/0x0 2 limit: avg 25/sec burst 50
> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_lan_dest_ACCEPT (2 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_lan_forward (1 references)
> target prot opt source destination
> forwarding_lan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for forwarding */
> zone_wan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* forw arding lan -> wan */
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port forwards */
> zone_lan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_lan_input (1 references)
> target prot opt source destination
> input_lan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for input */
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port redirections */
> zone_lan_src_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_lan_output (1 references)
> target prot opt source destination
> output_lan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chai n for output */
> zone_lan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_lan_src_ACCEPT (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_wan_dest_ACCEPT (3 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_wan_forward (1 references)
> target prot opt source destination
> forwarding_wan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for forwarding */
> ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> icmptype 8 /* Allo w-Ping */
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port forwards */
> zone_wan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_wan_input (1 references)
> target prot opt source destination
> input_wan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for input */
> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:68 /* Allo w-DHCP-Renew */
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port redirections */
> zone_wan_src_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_wan_output (1 references)
> target prot opt source destination
> output_wan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chai n for output */
> zone_wan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> Chain zone_wan_src_ACCEPT (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>
> On Mon, Dec 8, 2014 at 7:24 AM, Eric Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>
> This iptables rule should me on both sides of strongswan gateway and client?
>
>
> Sent from Mobile
>
>
> > On 2014年12月8日, at 02:18, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> Hello Eric,
>
> Please check if any iptables rules are dropping the packets. Also, please make sure any SNAT
> or MASQUERADE rule does not match the traffic that is to be tunneled.
>
> You can do that using the "policy" match module in iptables.
> The following MASQUERADE rule matches all traffic except IPsec traffic
>
> iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j MASQUERADE
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>> >> Am 07.12.2014 um 13:30 schrieb Eric Y. Zhang:
>> >> Hi all
>> >> I need to setup an IPSec tunnel to my VPS which only has one public IP.
>> >> so I add eth0.1 192.168.87.1/24 <http://192.168.87.1/24> <http://192.168.87.1/24>, and follow the steps on http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/; and I can see ipsec tunnel is up on both sides.
>> >>
>> >> unabove[7]: ESTABLISHED 39 minutes ago, 192.168.88.101[user1]...192.99.70.158[192.99.xx.xx]
>> >> runabove{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7f24174_i c2289fb5_o
>> >> runabove{1}: 192.168.88.0/24 <http://192.168.88.0/24> <http://192.168.88.0/24> === 192.168.87.0/24 <http://192.168.87.0/24> <http://192.168.87.0/24>
>> >>
>> >> but I can not ping 192.168.87.1 from my side(which is strongswan on openwrt)
>> >>
>> >> any help would be appreciated
>> >>
>> >>
>> >>
>> >> --
>> >> Life is harsh
>> >>
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> >> https://lists.strongswan.org/mailman/listinfo/users
>
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
> --
> Life is harsh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUhWKAAAoJEDg5KY9j7GZYcy8P/2mPCAXpKTxOIAC6bsckKCqp
ofUETNHYuXMI/3ytRylkezB6uJBaoSNXknXjqUIjtrJYeWGcoSaTfdnG9ljkbc05
EQFahkrKNJ2V0Np1Cu7FijOtS9kKYHm3gq8egrqbeAOMlweX1kj2MQHcuEdd5iAJ
rbSVdZL3YkhevcnYdauzGuEb4kGUYvfek3xSxj4hr6xz/9bAIENFFKzMIa4f2lLo
r8gZuagDMBoAyQXsKb/d+jXuHe1Zp0GVSSwkT6poUABbddx47BIinzx19sV0sMlW
dioJzdRlRjRtdBZfGPZZfojvPH4fEiNPmXzsayC3Z2ZkuvhY9pzZKtuZlP53AUEM
WFdCMq7i1I/QEOT1V+2q/HNv24mgTFsJaj28AD40lFq6BIJYMJqR1psOITLxYuXO
CA882J+e3+pNWyqh2jG26VA0CzjSHRTzMYS5jyAIyY93HKEM0mWmfm+jujC+lucJ
6aQHYktUGITpDmy6JTkkJqZ44owfB44iOC0BSkKZOxBSWeNyz+thRJlr9HLGV+rr
6W9rqFyXmMTxh3FeVcTRD6/wTSAY3TnxZhRV2pQt16XSo1ZEyY/EGO97+b5KxQQI
DP82SwmrvK6e/0sa897/SQTFFJauIjPhyxJeKkCzx6/0fkn3KY1zLbJUUv4IC8bi
VzkNvmnWXeMA0o8bhHeG
=6jiL
-----END PGP SIGNATURE-----
More information about the Users
mailing list