[strongSwan] routing traffic to site to site ipsec tunnel

Eric Y. Zhang debiansid at gmail.com
Fri Dec 19 01:49:37 CET 2014 

hi Noel
Thanks for responding.based on my understanding, 0.0.0.0/0--0.0.0.0 will
pass all traffic to ipsec tunnel.
there is no more steps after setting mark for those subnets. so how can I
except the traffic which destination is not in that set?

thanks


Eric


You can then match the ipset you have your china subnets in with the 'set'
match module and assign
the mark, if the destination is not in that set.
Ex.: iptables -t mangle -I POSTROUTING -m set ! --match-set fwmark dst -j
MARK --set-mark foo/bar

> Then except the traffic that matches a policy from nat in *nat POSTROUTING:
>
Ex.: iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j
ACCEPT
or
iptables -t nat -I POSTROUTING -m policy --pol none --dir out -j MASQUERADE

The latter rule would replace your standard MASUQERADE rule.

You do not have to deal with policy based routing with strongSwan, as it
does policy
based VPNs, not route based ones.

On Thu, Dec 18, 2014 at 11:58 PM, Noel Kuntze <noel at familie-kuntze.de>
wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Eric,
>
> You might be able to do what you want with marks[1] and an any-any policy (
> 0.0.0.0/0 == 0.0.0.0/9).
>
> You can then match the ipset you have your china subnets in with the 'set'
> match module and assign
> the mark, if the destination is not in that set.
> Ex.: iptables -t mangle -I POSTROUTING -m set ! --match-set fwmark dst -j
> MARK --set-mark foo/bar
> Then except the traffic that matches a policy from nat in *nat POSTROUTING:
> Ex.: iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j
> ACCEPT
> or
> iptables -t nat -I POSTROUTING -m policy --pol none --dir out -j MASQUERADE
>
> The latter rule would replace your standard MASUQERADE rule.
>
> You do not have to deal with policy based routing with strongSwan, as it
> does policy
> based VPNs, not route based ones.
>
> [1] https://lists.strongswan.org/pipermail/users/2014-November/006942.html
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 18.12.2014 um 14:09 schrieb Eric Y. Zhang:
> > i want to separate traffic to outside China from domestic traffic. I
> have all subnet which is not belong to China.I want to any traffic to them
> will go through ipsec tunnel.
> >
> > let's say foreign.txt includes all ip address outside of China.
> >
> > Openwrt subnet 192.168.89.0/24 <http://192.168.89.0/24>
> > VPS subnet 192.168.87.0/24 <http://192.168.87.0/24>  vps eth0:1
> 192.168.87.1
> >
> > #!/bin/bash
> >
> > ipset create fwmark hash:net
> > for subnet in `cat /etc/foreign.txt`
> > do
> >  ipset add fwmark $subnet
> > done
> >
> > iptables -t mangle -N fwmark
> > iptables -t mangle -A fwmark -m set --match-set fwmark dst -j MARK
> --set-mark 0xffff
> > ip route add default via 192.168.87.1 dev br-lan table gfw
> > ip rule add fwmark 0xffff table gfw
> >
> > this script will create an ipset for those ip addresses. I just have no
> idea how to do iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir
> out -j ACCEPT
> > for those IPs.
> >
> > base on my test, you have to do 2 things to make it work.
> > 1.iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <
> http://192.168.89.0/24> -d 192.168.87.0/24 <http://192.168.87.0/24> -j
> ACCEPT
> > 2.route add -net 192.168.87.0/24 <http://192.168.87.0/24> gw
> 192.168.89.1
> >
> > for every ip subnet in foreign.txt, those 2 steps have to been done.
> >
> >
> > thanks
> >
> > Eric
> >
> > On Thu, Dec 18, 2014 at 8:33 PM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> > Hello Eric,
> >
> > What do you mean with that exactly? Make traffic to all networks, but
> the LAN, go through the tunnel?
> > For that, you need to except ipsec traffic from NAT.
> > You can use the 'polciy' module of iptables to match IPsec traffic.
> > E.g.: iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir
> out -j MASQUERADE
> >
> > That rule matches all traffic, that goes out of eth0 and does not have a
> matching IPsec policy and will MASQUERADE it.
> > Another rule you could use is "iptables -t nat -I POSTROUTING -m policy
> --pol ipsec --dir out -j ACCEPT"
> > That rule will simply accept all traffic with a matching policy, so it
> does not get masqueraded.
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 18.12.2014 um 11:24 schrieb Eric Y. Zhang:
> >> hi Noel
> >> iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <
> http://192.168.89.0/24> <http://192.168.89.0/24> -d 192.168.87.0/24 <
> http://192.168.87.0/24> <http://192.168.87.0/24> -j ACCEPT
> >> ip route add -net 192.168.87.0/24 <http://192.168.87.0/24> <
> http://192.168.87.0/24> gw 192.168.89.1
> >
> >> and add type=passthrough
> >> I can ping 192.168.87.1
> >> Routed Connections:
> >>     runabove{1}:  ROUTED, TUNNEL
> >>     runabove{1}:   192.168.89.0/24 <http://192.168.89.0/24> <
> http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0
> >
> >> Security Associations (1 up, 0 connecting):
> >>     runabove[1]: ESTABLISHED 32 minutes ago,
> 192.168.88.101[ezhang]...serverip [eang]
> >>     runabove{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c8508cd1_i
> c9042c77_o
> >>     runabove{1}:   192.168.89.0/24 <http://192.168.89.0/24> <
> http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0
> >
> >
> >> and I managed to add 8.8.8.8 into that tunnel , it works too.
> >
> >> then I have another question, how to add all foreign ip blocks into
> that tunnel? like via ipset
> >
> >> On Thu, Dec 18, 2014 at 11:44 AM, Eric Zhang <debiansid at gmail.com
> <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:
> debiansid at gmail.com>>> wrote:
> >
> >>     Hi Noel
> >>     I just add
> >>     iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <
> http://192.168.89.0/24> <http://192.168.89.0/24> -d 192.168.87.0/24 <
> http://192.168.87.0/24> <http://192.168.87.0/24> -j ACCEPT
> >>     Then I can ping 192.168.87.1 from openwrt.
> >>     After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can
> not ping 87.1from openwrt.
> >
> >>     So how can I allow all traffic to foreign ip range into IPSec
> tunnel?
> >
> >>     Sent from Mobile
> >
> >
> >>     On 2014年12月18日, at 03:31, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> wrote:
> >
> >>>
> >> Hello Eric,
> >
> >> You can use passthrough policies for your local networks and  a ts of
> localnet == 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> for that.
> >> You will need to use some custom firewall rule to except IPsec traffic
> from NAT. Look through the list archive
> >> for some emails from me about that topic.
> >
> >> Mit freundlichen Grüßen/Regards,
> >> Noel Kuntze
> >
> >> GPG Key ID: 0x63EC6658
> >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> >> Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:
> >>>>>     Hi all
> >>>>>     here is my setup
> >>>>>
> >>>>>     strongswan(openwrt)<----->strongswan(linux VPS), the ipsec
> tunnel is up between those 2.
> >>>>>
> >>>>>     Now  I want to route all traffic except domestic to that tunnel.
> How can I make that work?
> >>>>>     --
> >>>>>     Life is harsh
> >>>>>
> >>>>>
> >>>>>     _______________________________________________
> >>>>>     Users mailing list
> >>>>>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> >>>>>     https://lists.strongswan.org/mailman/listinfo/users
> >
> >>>
> >>>
> >>>     _______________________________________________
> >>>     Users mailing list
> >>>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> >>>     https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >> --
> >> Life is harsh
> >
> >
> >
> > --
> > Life is harsh
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUkvmFAAoJEDg5KY9j7GZYgeEP/ReXj3N0QoPQQPpnt1ZjLQ/a
> 5ANK/4eurqttwLCJTHlmmmS+k8ZX0GfAU+QLxX2igumlliYEina6wtG/l+8wK4PT
> 5t2a7aGEjO8VGYiJKn3K0EDJTblD1M9PvvHBG2GnBGoQSTc6To+/Ktpr4aqcM5f2
> 8vWfA/aKi0HTLLE1tofVpm6rLfqKohn+W7S6KN3TGj+RibgpEd1jwy45yTskXSV2
> NhCjr/qC6s1uWeXD109+T3pcTNom4Frzoh3qlWLXpoDuJz/Ir8G6oezsmxpaEqHb
> SY+kUTmFedbbTqseR9NU21HwPbL+yr9O5ohuRkF5KzzKaZpt1b5pfBXUYN3ix/D+
> INxWfZNBz6ApklMutBYiKpwat7NxNpa+BxjDy1Sj6V+1HyN/LCcPwckJtG052N8D
> tSKMIdqi6YpaHTKKbqyLessYbBUz18tPUCrFtQD0IYNPfc6yroSL53s6j8G09gTa
> 5Qa/aEFwxAT35pRFuBeuQSY9h3d6nch2AnwaDDE1oibvBsK3JN2x3YOl9/jR3Qbr
> YbRC07RSQzsMnsUzOHCzgK+Qd9HDPK4HWZ7y/ubE260nuyS+VX0mfzBwp6aRCaop
> fpFcp4Jo8s+WTSgUrO4sU4bI+YQdjBtVkCVft17gObCadyFdgMOHYMer0SX5IhvP
> YbbLZzPgeHsgbOZf+X7k
> =iBmc
> -----END PGP SIGNATURE-----
>


-- 
Life is harsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141219/e4935293/attachment-0001.html>

More information about the Users mailing list