[strongSwan] Nat excempt rule not working

Svend Høst svend at hoest.nu
Fri Jan 3 09:32:59 CET 2014 

Hi

I'm having troubles getting packages routed over the tunnel. It seems like
that the iptables rules are somewhat purged, they reenter if i rebuild the
tunnel. but that dosn't help the routing issue.

traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets
 1  10.66.55.18 (10.66.55.18)  43.438 ms  53.529 ms  53.742 ms
 2  10.66.55.17 (10.66.55.17)  53.857 ms  63.536 ms  63.482 ms^C

root at b3:~# ipsec version
Linux strongSwan U4.4.1/K2.6.39.4-11
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

root at b3:~# ipsec status net-net
000 "net-net":
192.168.10.0/24===109.56.142.204[hoest.myownb3.com]...5.103.136.156[192.168.3.1]===192.168.3.0/24;
erouted; eroute owner: #4
000 "net-net":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2246s; newest IPSEC; eroute owner
000 #4: "net-net" esp.f755325f at 5.103.136.156 (0 bytes)
esp.2c39870c at 109.56.142.204 (0 bytes); tunnel
000 #3: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 2164s; newest ISAKMP
000

root at b3:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 REJECT     tcp  --  any    any     anywhere
anywhere            tcp flags:SYN,ACK/SYN,ACK state NEW reject-with
tcp-reset
    0     0 DROP       tcp  --  any    any     anywhere
anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
   93  6801 ACCEPT     all  --  eth0   any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  br0    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp --  eth0   any     anywhere
anywhere            icmp time-exceeded
    0     0 ACCEPT     icmp --  any    any     anywhere
anywhere            icmp fragmentation-needed
    0     0 ACCEPT     tcp  --  eth0   any     anywhere
anywhere            tcp dpt:ssh
    0     0 ACCEPT     udp  --  eth0   any     anywhere
anywhere            udp dpt:isakmp
    0     0 ACCEPT     esp  --  eth0   any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  br0    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere
anywhere            icmp fragmentation-needed

Chain OUTPUT (policy ACCEPT 93 packets, 13864 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     esp  --  any    eth0    anywhere             anywhere
root at b3:~#



Any thoughts ?

Wkr.
Svend
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140103/9228dd8c/attachment.html>

More information about the Users mailing list