[strongSwan] roadwarrior as gateway, possible?

Zesen Qian strongswan-users at riaqn.com
Wed Dec 24 14:44:52 CET 2014 

Noel Kuntze <noel at familie-kuntze.de> writes:

> Oh, and furthermore,
> 1) you also need to except IPsec traffic from NAT on your client.
> 2) You need to clean up your MASQUERADE rules on your server.
>     A correct iptables rule set for you looks like this:
>     iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
>     iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 24.12.2014 um 12:09 schrieb Zesen Qian:
>> Noel Kuntze <noel at familie-kuntze.de> writes:
>>
>>> Hello Zesen,
>>>
>>> You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel
>>> and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic.
>>> Make the hosts in the LAN use your old notebook as gateway for the default route
>>> and it will work. I did that here at my place and it works just fine.
>>> See [1] for some explanation on getting routing to work.
>>>
>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>>
>>> Mit freundlichen Grüßen/Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 23.12.2014 um 02:47 schrieb Zesen Qian:
>>>> Hi all,
>>>> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
>>>> so plz correct me if I'm wrong. :-)
>>>> I want to config it in such way:
>>>>
>>>> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
>>>> is 10.0.0.0/24, and the external IP is dynamically allocated.
>>>> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
>>>> connect to).
>>>>
>>>> 1. Laptop as initiator, VPS as responder. Once the connection is
>>>> established, Laptop give the VPS a virtual IP in 10.0.0.0/24 (just as
>>>> the local lan machines). Does dhcp and farp plugin do the trick?
>>>>
>>>> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
>>>> a normal computer in the lan connecting a outside server, the server
>>>> should see the VPS's IP.
>>>>
>>>> Is it possible by strongswan? I 've seen lots of config examples on
>>>> strongswan website, but none of which is like what I said. I have
>>>> strugled for more than a week... BTW, is there any good article that
>>>> explains about traffic selector/routing in IPsec(for a beginner)?
>>>> Any comments is appreciated!
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> Hi Noel,
>>    Thanks for your reply!
>>    I checked the URL and tried to understand it. Then I configure in
>>    such a way:
>>    1. server and client ipsec.conf is here[1]:
>>    2. I do some iptables stuff on the server side, just as the URL says:
>>       iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE
>>       iptables -t nat  -A POSTROUTING -s 10.0.0.0/24 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
>>    3. Then I up the client. Once the connection is established, the
>>    client 's connection to everything(to Internet, to LAN) seems cut-up.
>>    Outer world cannot ping the client(gateway), and LAN machines
>>    cannot connect to it, either.
>>    4. However, I can connect the client from the server. I typed
>>    ssh 10.0.0.1 to check what happens. So this is what it looks like on
>>    client [2]
>>    5. And this is what it looks like on server [3]
>>
>>    Would you help me check these infos please? BTW, do you know any
>>    articles explaining traffic selector/routing/stuff? I 'm really
>>    confused how IPsec is integrated into my network..
>>
>> [1] https://bpaste.net/show/45dcd2c1100d
>> [2] https://bpaste.net/show/e2add2951990
>> [3] https://bpaste.net/show/96a7300a7e73
>
Hi Noel,
   I have place the ACCEPT before the MASQUERADE. There 's MASQUERADE on
   10.8.0.0/24 on server because it's my OpenVPN server too, does it
   matter?
   I 'm doing a IPv4-in-IPv6 tunnel, so I suppose there 's no need to
   except IPsec traffic fron nat? Here 's the ip6tables on the client:
   # Generated by ip6tables-save v1.4.21 on Tue Dec 23 08:34:38 2014
   *filter
   :INPUT ACCEPT [14:2201]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [13:1102]
   COMMIT
   # Completed on Tue Dec 23 08:34:38 2014

   as you can see, it just ACCEPT all traffic.

   Then I tried to up the client again, and the problem still...

-- 
Zesen Qian (钱泽森)
Undergraduate
School of Software
Shanghai Jiao Tong University

More information about the Users mailing list