[strongSwan] roadwarrior as gateway, possible?

Zesen Qian strongswan-users at riaqn.com
Fri Dec 26 14:47:07 CET 2014 

Noel Kuntze <noel at familie-kuntze.de> writes:

> Hello Zesen,
>
> It matters. IPv4 traffic is filtered by the firewall that you configure using iptables
> and IPv6 traffic is filtered by the firewall that you configure using ip6tables.
> If you use a 4in6 tunnel, you need let the IPv6 tunnel packets through by configuring
> the firewall for IPv6 traffic using ip6tables. The traffic that is encapsulated in the tunnel packets
> is filtered by the firewall you configure using iptables.
> What you except from NAT are not the ESP or ESPINUDP packets, but the packets
> that are supposed to be in there. The policy match module tries to find
> an IPsec policy (XFRM policy on Linux) that matches the packet.
> Using it in the ACCEPT rule prevents the NAT from being applied to packets that match a policy,
> to make sure that the packets go into the tunnel and still match the policy when the XFRM lookup
> happens. See [1] for the packet flow in Netfilter and general networking on Linux.
> Netfilter is the firewall implementation on Linux.
>
> [1] http://inai.de/images/nf-packet-flow.png
>
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 24.12.2014 um 14:44 schrieb Zesen Qian:
>> Noel Kuntze <noel at familie-kuntze.de> writes:
>>
>>> Oh, and furthermore,
>>> 1) you also need to except IPsec traffic from NAT on your client.
>>> 2) You need to clean up your MASQUERADE rules on your server.
>>>     A correct iptables rule set for you looks like this:
>>>     iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
>>>     iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
>>>
>>> Mit freundlichen Grüßen/Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 24.12.2014 um 12:09 schrieb Zesen Qian:
>>>> Noel Kuntze <noel at familie-kuntze.de> writes:
>>>>
>>>>> Hello Zesen,
>>>>>
>>>>> You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel
>>>>> and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic.
>>>>> Make the hosts in the LAN use your old notebook as gateway for the default route
>>>>> and it will work. I did that here at my place and it works just fine.
>>>>> See [1] for some explanation on getting routing to work.
>>>>>
>>>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>>>>
>>>>> Mit freundlichen Grüßen/Regards,
>>>>> Noel Kuntze
>>>>>
>>>>> GPG Key ID: 0x63EC6658
>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>>
>>>>> Am 23.12.2014 um 02:47 schrieb Zesen Qian:
>>>>>> Hi all,
>>>>>> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
>>>>>> so plz correct me if I'm wrong. :-)
>>>>>> I want to config it in such way:
>>>>>>
>>>>>> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
>>>>>> is 10.0.0.0/24, and the external IP is dynamically allocated.
>>>>>> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
>>>>>> connect to).
>>>>>>
>>>>>> 1. Laptop as initiator, VPS as responder. Once the connection is
>>>>>> established, Laptop give the VPS a virtual IP in 10.0.0.0/24 (just as
>>>>>> the local lan machines). Does dhcp and farp plugin do the trick?
>>>>>>
>>>>>> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
>>>>>> a normal computer in the lan connecting a outside server, the server
>>>>>> should see the VPS's IP.
>>>>>>
>>>>>> Is it possible by strongswan? I 've seen lots of config examples on
>>>>>> strongswan website, but none of which is like what I said. I have
>>>>>> strugled for more than a week... BTW, is there any good article that
>>>>>> explains about traffic selector/routing in IPsec(for a beginner)?
>>>>>> Any comments is appreciated!
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>> Hi Noel,
>>>>    Thanks for your reply!
>>>>    I checked the URL and tried to understand it. Then I configure in
>>>>    such a way:
>>>>    1. server and client ipsec.conf is here[1]:
>>>>    2. I do some iptables stuff on the server side, just as the URL says:
>>>>       iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE
>>>>       iptables -t nat  -A POSTROUTING -s 10.0.0.0/24 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
>>>>    3. Then I up the client. Once the connection is established, the
>>>>    client 's connection to everything(to Internet, to LAN) seems cut-up.
>>>>    Outer world cannot ping the client(gateway), and LAN machines
>>>>    cannot connect to it, either.
>>>>    4. However, I can connect the client from the server. I typed
>>>>    ssh 10.0.0.1 to check what happens. So this is what it looks like on
>>>>    client [2]
>>>>    5. And this is what it looks like on server [3]
>>>>
>>>>    Would you help me check these infos please? BTW, do you know any
>>>>    articles explaining traffic selector/routing/stuff? I 'm really
>>>>    confused how IPsec is integrated into my network..
>>>>
>>>> [1] https://bpaste.net/show/45dcd2c1100d
>>>> [2] https://bpaste.net/show/e2add2951990
>>>> [3] https://bpaste.net/show/96a7300a7e73
>>>
>> Hi Noel,
>>    I have place the ACCEPT before the MASQUERADE. There 's MASQUERADE on
>>    10.8.0.0/24 on server because it's my OpenVPN server too, does it
>>    matter?
>>    I 'm doing a IPv4-in-IPv6 tunnel, so I suppose there 's no need to
>>    except IPsec traffic fron nat? Here 's the ip6tables on the client:
>>    # Generated by ip6tables-save v1.4.21 on Tue Dec 23 08:34:38 2014
>>    *filter
>>    :INPUT ACCEPT [14:2201]
>>    :FORWARD ACCEPT [0:0]
>>    :OUTPUT ACCEPT [13:1102]
>>    COMMIT
>>    # Completed on Tue Dec 23 08:34:38 2014
>>
>>    as you can see, it just ACCEPT all traffic.
>>
>>    Then I tried to up the client again, and the problem still...
>>
>

Hello Noel,
      It may be related to my home-setup smtp server, please try
      me at riaqn.com.
      Remember you told me to "except IPsec traffic from NAT"? Actually
      I'm new to not only IPsec, but also iptables. Can you give some
      guide on how to do it?
      Oh, and more. I just retried to up the ipsec on client, and
      surprisingly, the machine in the client LAN can still connect to
      the client. The disconnect only happens between client and
      external net(except the server). Sorry that I provided wrong info
      on the problem.
      
-- 
Zesen Qian (钱泽森)
Undergraduate
School of Software
Shanghai Jiao Tong University

More information about the Users mailing list