[strongSwan] ipsec to VPS
Eric Zhang
debiansid at gmail.com
Tue Dec 9 12:19:10 CET 2014
I fixed it by adding route on both sides.thanks for your help!
Sent from Mobile
> On 2014年12月8日, at 16:34, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Eric,
>
> Please post the output of "stables-save" of the gateway and client.
> It is much more easily readable than the output of "iptables -Ln" and
> includes all tables.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>> Am 08.12.2014 um 02:06 schrieb Eric Y. Zhang:
>> on client:
>> netstat -nr
>> Kernel IP routing table
>> Destination Gateway Genmask Flags MSS Window irtt Iface
>> 0.0.0.0 192.168.88.1 0.0.0.0 UG 0 0 0 wlan0
>> 192.168.87.0 192.168.89.1 255.255.255.255 UGH 0 0 0 br-lan
>> 192.168.88.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
>> 192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
>> root at YesRouter:~# iptables -nL
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> delegate_input all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> ACCEPT all -- 192.168.87.0/24 <http://192.168.87.0/24> 192.168.89.0/24 <http://192.168.89.0/24> policy match dir i n pol ipsec reqid 1 proto 50
>> ACCEPT all -- 192.168.89.0/24 <http://192.168.89.0/24> 192.168.87.0/24 <http://192.168.87.0/24> policy match dir o ut pol ipsec reqid 1 proto 50
>> delegate_forward all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> delegate_output all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain delegate_forward (1 references)
>> target prot opt source destination
>> forwarding_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chai n for forwarding */
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate RELATED,ES TABLISHED
>> zone_lan_forward all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>> zone_wan_forward all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>> reject all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain delegate_input (1 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>> input_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for input */
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate RELATED,ES TABLISHED
>> syn_flood tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp flags:0x17/0x0 2
>> zone_lan_input all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>> zone_wan_input all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain delegate_output (1 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>> output_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain fo r output */
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate RELATED,ES TABLISHED
>> zone_lan_output all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>> zone_wan_output all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain forwarding_lan_rule (1 references)
>> target prot opt source destination
>>
>> Chain forwarding_rule (1 references)
>> target prot opt source destination
>>
>> Chain forwarding_wan_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_lan_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_wan_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_lan_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_wan_rule (1 references)
>> target prot opt source destination
>>
>> Chain reject (1 references)
>> target prot opt source destination
>> REJECT tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with tcp-re set
>> REJECT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-p ort-unreachable
>>
>> Chain syn_flood (1 references)
>> target prot opt source destination
>> RETURN tcp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp flags:0x17/0x0 2 limit: avg 25/sec burst 50
>> DROP all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_lan_dest_ACCEPT (2 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_lan_forward (1 references)
>> target prot opt source destination
>> forwarding_lan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for forwarding */
>> zone_wan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* forw arding lan -> wan */
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port forwards */
>> zone_lan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_lan_input (1 references)
>> target prot opt source destination
>> input_lan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for input */
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port redirections */
>> zone_lan_src_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_lan_output (1 references)
>> target prot opt source destination
>> output_lan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chai n for output */
>> zone_lan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_lan_src_ACCEPT (1 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_wan_dest_ACCEPT (3 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_wan_forward (1 references)
>> target prot opt source destination
>> forwarding_wan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for forwarding */
>> ACCEPT icmp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> icmptype 8 /* Allo w-Ping */
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port forwards */
>> zone_wan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_wan_input (1 references)
>> target prot opt source destination
>> input_wan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chain for input */
>> ACCEPT udp -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:68 /* Allo w-DHCP-Renew */
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> ctstate DNAT /* Ac cept port redirections */
>> zone_wan_src_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_wan_output (1 references)
>> target prot opt source destination
>> output_wan_rule all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> /* user chai n for output */
>> zone_wan_dest_ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> Chain zone_wan_src_ACCEPT (1 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>
>> On Mon, Dec 8, 2014 at 7:24 AM, Eric Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
>>
>> This iptables rule should me on both sides of strongswan gateway and client?
>>
>>
>> Sent from Mobile
>>
>>
>>> On 2014年12月8日, at 02:18, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>> Hello Eric,
>>
>> Please check if any iptables rules are dropping the packets. Also, please make sure any SNAT
>> or MASQUERADE rule does not match the traffic that is to be tunneled.
>>
>> You can do that using the "policy" match module in iptables.
>> The following MASQUERADE rule matches all traffic except IPsec traffic
>>
>> iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j MASQUERADE
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>>>>> Am 07.12.2014 um 13:30 schrieb Eric Y. Zhang:
>>>>> Hi all
>>>>> I need to setup an IPSec tunnel to my VPS which only has one public IP.
>>>>> so I add eth0.1 192.168.87.1/24 <http://192.168.87.1/24> <http://192.168.87.1/24>, and follow the steps on http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/; and I can see ipsec tunnel is up on both sides.
>>>>>
>>>>> unabove[7]: ESTABLISHED 39 minutes ago, 192.168.88.101[user1]...192.99.70.158[192.99.xx.xx]
>>>>> runabove{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7f24174_i c2289fb5_o
>>>>> runabove{1}: 192.168.88.0/24 <http://192.168.88.0/24> <http://192.168.88.0/24> === 192.168.87.0/24 <http://192.168.87.0/24> <http://192.168.87.0/24>
>>>>>
>>>>> but I can not ping 192.168.87.1 from my side(which is strongswan on openwrt)
>>>>>
>>>>> any help would be appreciated
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Life is harsh
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>>
>>
>> --
>> Life is harsh
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUhWKAAAoJEDg5KY9j7GZYcy8P/2mPCAXpKTxOIAC6bsckKCqp
> ofUETNHYuXMI/3ytRylkezB6uJBaoSNXknXjqUIjtrJYeWGcoSaTfdnG9ljkbc05
> EQFahkrKNJ2V0Np1Cu7FijOtS9kKYHm3gq8egrqbeAOMlweX1kj2MQHcuEdd5iAJ
> rbSVdZL3YkhevcnYdauzGuEb4kGUYvfek3xSxj4hr6xz/9bAIENFFKzMIa4f2lLo
> r8gZuagDMBoAyQXsKb/d+jXuHe1Zp0GVSSwkT6poUABbddx47BIinzx19sV0sMlW
> dioJzdRlRjRtdBZfGPZZfojvPH4fEiNPmXzsayC3Z2ZkuvhY9pzZKtuZlP53AUEM
> WFdCMq7i1I/QEOT1V+2q/HNv24mgTFsJaj28AD40lFq6BIJYMJqR1psOITLxYuXO
> CA882J+e3+pNWyqh2jG26VA0CzjSHRTzMYS5jyAIyY93HKEM0mWmfm+jujC+lucJ
> 6aQHYktUGITpDmy6JTkkJqZ44owfB44iOC0BSkKZOxBSWeNyz+thRJlr9HLGV+rr
> 6W9rqFyXmMTxh3FeVcTRD6/wTSAY3TnxZhRV2pQt16XSo1ZEyY/EGO97+b5KxQQI
> DP82SwmrvK6e/0sa897/SQTFFJauIjPhyxJeKkCzx6/0fkn3KY1zLbJUUv4IC8bi
> VzkNvmnWXeMA0o8bhHeG
> =6jiL
> -----END PGP SIGNATURE-----
More information about the Users
mailing list