[strongSwan] routing traffic to site to site ipsec tunnel

Eric Zhang debiansid at gmail.com
Tue Dec 23 12:56:57 CET 2014 

Noel
Thanks it works like a charm 

Sent from Mobile


> On 2014年12月19日, at 08:49, Eric Y. Zhang <debiansid at gmail.com> wrote:
> 
> hi Noel
> Thanks for responding.based on my understanding, 0.0.0.0/0--0.0.0.0 will pass all traffic to ipsec tunnel.
> there is no more steps after setting mark for those subnets. so how can I except the traffic which destination is not in that set?
> 
> thanks
> 
> 
> Eric
> 
> 
> You can then match the ipset you have your china subnets in with the 'set' match module and assign
> the mark, if the destination is not in that set.
> Ex.: iptables -t mangle -I POSTROUTING -m set ! --match-set fwmark dst -j MARK --set-mark foo/bar
>> Then except the traffic that matches a policy from nat in *nat POSTROUTING:
> Ex.: iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
> or
> iptables -t nat -I POSTROUTING -m policy --pol none --dir out -j MASQUERADE
> 
> The latter rule would replace your standard MASUQERADE rule.
> 
> You do not have to deal with policy based routing with strongSwan, as it does policy
> based VPNs, not route based ones.
> 
>> On Thu, Dec 18, 2014 at 11:58 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>> Hello Eric,
>> 
>> You might be able to do what you want with marks[1] and an any-any policy (0.0.0.0/0 == 0.0.0.0/9).
>> 
>> You can then match the ipset you have your china subnets in with the 'set' match module and assign
>> the mark, if the destination is not in that set.
>> Ex.: iptables -t mangle -I POSTROUTING -m set ! --match-set fwmark dst -j MARK --set-mark foo/bar
>> Then except the traffic that matches a policy from nat in *nat POSTROUTING:
>> Ex.: iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
>> or
>> iptables -t nat -I POSTROUTING -m policy --pol none --dir out -j MASQUERADE
>> 
>> The latter rule would replace your standard MASUQERADE rule.
>> 
>> You do not have to deal with policy based routing with strongSwan, as it does policy
>> based VPNs, not route based ones.
>> 
>> [1] https://lists.strongswan.org/pipermail/users/2014-November/006942.html
>> 
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>> 
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> 
>> Am 18.12.2014 um 14:09 schrieb Eric Y. Zhang:
>> > i want to separate traffic to outside China from domestic traffic. I have all subnet which is not belong to China.I want to any traffic to them will go through ipsec tunnel.
>> >
>> > let's say foreign.txt includes all ip address outside of China.
>> >
>> > Openwrt subnet 192.168.89.0/24 <http://192.168.89.0/24>
>> > VPS subnet 192.168.87.0/24 <http://192.168.87.0/24>  vps eth0:1 192.168.87.1
>> >
>> > #!/bin/bash
>> >
>> > ipset create fwmark hash:net
>> > for subnet in `cat /etc/foreign.txt`
>> > do
>> >  ipset add fwmark $subnet
>> > done
>> >
>> > iptables -t mangle -N fwmark
>> > iptables -t mangle -A fwmark -m set --match-set fwmark dst -j MARK --set-mark 0xffff
>> > ip route add default via 192.168.87.1 dev br-lan table gfw
>> > ip rule add fwmark 0xffff table gfw
>> >
>> > this script will create an ipset for those ip addresses. I just have no idea how to do iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
>> > for those IPs.
>> >
>> > base on my test, you have to do 2 things to make it work.
>> > 1.iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <http://192.168.89.0/24> -d 192.168.87.0/24 <http://192.168.87.0/24> -j ACCEPT
>> > 2.route add -net 192.168.87.0/24 <http://192.168.87.0/24> gw 192.168.89.1
>> >
>> > for every ip subnet in foreign.txt, those 2 steps have to been done.
>> >
>> >
>> > thanks
>> >
>> > Eric
>> >
>> > On Thu, Dec 18, 2014 at 8:33 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>> >
>> > Hello Eric,
>> >
>> > What do you mean with that exactly? Make traffic to all networks, but the LAN, go through the tunnel?
>> > For that, you need to except ipsec traffic from NAT.
>> > You can use the 'polciy' module of iptables to match IPsec traffic.
>> > E.g.: iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j MASQUERADE
>> >
>> > That rule matches all traffic, that goes out of eth0 and does not have a matching IPsec policy and will MASQUERADE it.
>> > Another rule you could use is "iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT"
>> > That rule will simply accept all traffic with a matching policy, so it does not get masqueraded.
>> >
>> > Mit freundlichen Grüßen/Regards,
>> > Noel Kuntze
>> >
>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >
>> > Am 18.12.2014 um 11:24 schrieb Eric Y. Zhang:
>> >> hi Noel
>> >> iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> -d 192.168.87.0/24 <http://192.168.87.0/24> <http://192.168.87.0/24> -j ACCEPT
>> >> ip route add -net 192.168.87.0/24 <http://192.168.87.0/24> <http://192.168.87.0/24> gw 192.168.89.1
>> >
>> >> and add type=passthrough
>> >> I can ping 192.168.87.1
>> >> Routed Connections:
>> >>     runabove{1}:  ROUTED, TUNNEL
>> >>     runabove{1}:   192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>> >> Security Associations (1 up, 0 connecting):
>> >>     runabove[1]: ESTABLISHED 32 minutes ago, 192.168.88.101[ezhang]...serverip [eang]
>> >>     runabove{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c8508cd1_i c9042c77_o
>> >>     runabove{1}:   192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
>> >
>> >> and I managed to add 8.8.8.8 into that tunnel , it works too.
>> >
>> >> then I have another question, how to add all foreign ip blocks into that tunnel? like via ipset
>> >
>> >> On Thu, Dec 18, 2014 at 11:44 AM, Eric Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com> <mailto:debiansid at gmail.com <mailto:debiansid at gmail.com>>> wrote:
>> >
>> >>     Hi Noel
>> >>     I just add
>> >>     iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <http://192.168.89.0/24> <http://192.168.89.0/24> -d 192.168.87.0/24 <http://192.168.87.0/24> <http://192.168.87.0/24> -j ACCEPT
>> >>     Then I can ping 192.168.87.1 from openwrt.
>> >>     After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can not ping 87.1from openwrt.
>> >
>> >>     So how can I allow all traffic to foreign ip range into IPSec tunnel?
>> >
>> >>     Sent from Mobile
>> >
>> >
>> >>     On 2014年12月18日, at 03:31, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>> >
>> >>>
>> >> Hello Eric,
>> >
>> >> You can use passthrough policies for your local networks and  a ts of localnet == 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> for that.
>> >> You will need to use some custom firewall rule to except IPsec traffic from NAT. Look through the list archive
>> >> for some emails from me about that topic.
>> >
>> >> Mit freundlichen Grüßen/Regards,
>> >> Noel Kuntze
>> >
>> >> GPG Key ID: 0x63EC6658
>> >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >
>> >> Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:
>> >>>>>     Hi all
>> >>>>>     here is my setup
>> >>>>>
>> >>>>>     strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel is up between those 2.
>> >>>>>
>> >>>>>     Now  I want to route all traffic except domestic to that tunnel. How can I make that work?
>> >>>>>     --
>> >>>>>     Life is harsh
>> >>>>>
>> >>>>>
>> >>>>>     _______________________________________________
>> >>>>>     Users mailing list
>> >>>>>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>> >>>>>     https://lists.strongswan.org/mailman/listinfo/users
>> >
>> >>>
>> >>>
>> >>>     _______________________________________________
>> >>>     Users mailing list
>> >>>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>> >>>     https://lists.strongswan.org/mailman/listinfo/users
>> >
>> >
>> >
>> >> --
>> >> Life is harsh
>> >
>> >
>> >
>> > --
>> > Life is harsh
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> 
>> iQIcBAEBCAAGBQJUkvmFAAoJEDg5KY9j7GZYgeEP/ReXj3N0QoPQQPpnt1ZjLQ/a
>> 5ANK/4eurqttwLCJTHlmmmS+k8ZX0GfAU+QLxX2igumlliYEina6wtG/l+8wK4PT
>> 5t2a7aGEjO8VGYiJKn3K0EDJTblD1M9PvvHBG2GnBGoQSTc6To+/Ktpr4aqcM5f2
>> 8vWfA/aKi0HTLLE1tofVpm6rLfqKohn+W7S6KN3TGj+RibgpEd1jwy45yTskXSV2
>> NhCjr/qC6s1uWeXD109+T3pcTNom4Frzoh3qlWLXpoDuJz/Ir8G6oezsmxpaEqHb
>> SY+kUTmFedbbTqseR9NU21HwPbL+yr9O5ohuRkF5KzzKaZpt1b5pfBXUYN3ix/D+
>> INxWfZNBz6ApklMutBYiKpwat7NxNpa+BxjDy1Sj6V+1HyN/LCcPwckJtG052N8D
>> tSKMIdqi6YpaHTKKbqyLessYbBUz18tPUCrFtQD0IYNPfc6yroSL53s6j8G09gTa
>> 5Qa/aEFwxAT35pRFuBeuQSY9h3d6nch2AnwaDDE1oibvBsK3JN2x3YOl9/jR3Qbr
>> YbRC07RSQzsMnsUzOHCzgK+Qd9HDPK4HWZ7y/ubE260nuyS+VX0mfzBwp6aRCaop
>> fpFcp4Jo8s+WTSgUrO4sU4bI+YQdjBtVkCVft17gObCadyFdgMOHYMer0SX5IhvP
>> YbbLZzPgeHsgbOZf+X7k
>> =iBmc
>> -----END PGP SIGNATURE-----
> 
> 
> -- 
> Life is harsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141223/2b62d3ce/attachment.html>

More information about the Users mailing list