[strongSwan] roadwarrior as gateway, possible?
strongswan-users at riaqn.com
Wed Dec 24 14:44:52 CET 2014
Noel Kuntze <noel at familie-kuntze.de> writes:
> Oh, and furthermore,
> 1) you also need to except IPsec traffic from NAT on your client.
> 2) You need to clean up your MASQUERADE rules on your server.
> A correct iptables rule set for you looks like this:
> iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
> iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 24.12.2014 um 12:09 schrieb Zesen Qian:
>> Noel Kuntze <noel at familie-kuntze.de> writes:
>>> Hello Zesen,
>>> You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel
>>> and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic.
>>> Make the hosts in the LAN use your old notebook as gateway for the default route
>>> and it will work. I did that here at my place and it works just fine.
>>> See  for some explanation on getting routing to work.
>>>  https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>> Mit freundlichen Grüßen/Regards,
>>> Noel Kuntze
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> Am 23.12.2014 um 02:47 schrieb Zesen Qian:
>>>> Hi all,
>>>> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
>>>> so plz correct me if I'm wrong. :-)
>>>> I want to config it in such way:
>>>> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
>>>> is 10.0.0.0/24, and the external IP is dynamically allocated.
>>>> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
>>>> connect to).
>>>> 1. Laptop as initiator, VPS as responder. Once the connection is
>>>> established, Laptop give the VPS a virtual IP in 10.0.0.0/24 (just as
>>>> the local lan machines). Does dhcp and farp plugin do the trick?
>>>> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
>>>> a normal computer in the lan connecting a outside server, the server
>>>> should see the VPS's IP.
>>>> Is it possible by strongswan? I 've seen lots of config examples on
>>>> strongswan website, but none of which is like what I said. I have
>>>> strugled for more than a week... BTW, is there any good article that
>>>> explains about traffic selector/routing in IPsec(for a beginner)?
>>>> Any comments is appreciated!
>>> Users mailing list
>>> Users at lists.strongswan.org
>> Hi Noel,
>> Thanks for your reply!
>> I checked the URL and tried to understand it. Then I configure in
>> such a way:
>> 1. server and client ipsec.conf is here:
>> 2. I do some iptables stuff on the server side, just as the URL says:
>> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE
>> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
>> 3. Then I up the client. Once the connection is established, the
>> client 's connection to everything(to Internet, to LAN) seems cut-up.
>> Outer world cannot ping the client(gateway), and LAN machines
>> cannot connect to it, either.
>> 4. However, I can connect the client from the server. I typed
>> ssh 10.0.0.1 to check what happens. So this is what it looks like on
>> client 
>> 5. And this is what it looks like on server 
>> Would you help me check these infos please? BTW, do you know any
>> articles explaining traffic selector/routing/stuff? I 'm really
>> confused how IPsec is integrated into my network..
>>  https://bpaste.net/show/45dcd2c1100d
>>  https://bpaste.net/show/e2add2951990
>>  https://bpaste.net/show/96a7300a7e73
I have place the ACCEPT before the MASQUERADE. There 's MASQUERADE on
10.8.0.0/24 on server because it's my OpenVPN server too, does it
I 'm doing a IPv4-in-IPv6 tunnel, so I suppose there 's no need to
except IPsec traffic fron nat? Here 's the ip6tables on the client:
# Generated by ip6tables-save v1.4.21 on Tue Dec 23 08:34:38 2014
:INPUT ACCEPT [14:2201]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1102]
# Completed on Tue Dec 23 08:34:38 2014
as you can see, it just ACCEPT all traffic.
Then I tried to up the client again, and the problem still...
Zesen Qian (钱泽森)
School of Software
Shanghai Jiao Tong University
More information about the Users