[strongSwan] Nat excempt rule not working
Svend Høst
svend at hoest.nu
Sun Jan 5 09:03:40 CET 2014
Hi
If i after reboot restart strongswan and the tunnel the iptables looks ok,
but packages are still sent over the internet.
Is there anything in the kernel configuration i have to check ?
When i look at http://www.strongswan.org/uml/testresults4/ikev1/net2net-psk/
there
is nothing i in ip route list table 220
root at b3:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.4.1 IPsec [starter]...
root at b3:~# iptables -L -v
Chain INPUT (policy DROP 3 packets, 120 bytes)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- any any anywhere
anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with
tcp-reset
1 51 DROP tcp -- any any anywhere
anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
9 1042 ACCEPT all -- eth0 any anywhere
anywhere state RELATED,ESTABLISHED
54 3995 ACCEPT all -- br0 any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere
anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
0 0 ACCEPT tcp -- eth0 any anywhere
anywhere tcp dpt:ssh
0 0 ACCEPT udp -- eth0 any anywhere
anywhere udp dpt:isakmp
0 0 ACCEPT esp -- eth0 any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
18 8743 ACCEPT all -- br0 any anywhere anywhere
17 1021 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
Chain OUTPUT (policy ACCEPT 65 packets, 8742 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT esp -- any eth0 anywhere anywhere
root at b3:~# ipsec up net-net
002 "net-net" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using
isakmp#1}
112 "net-net" #3: STATE_QUICK_I1: initiate
002 "net-net" #3: sent QI2, IPsec SA established {ESP=>0xbc2b2ba9
<0xceebf6e2}
004 "net-net" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xbc2b2ba9 <0xceebf6e2}
root at b3:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 any 192.168.3.0/24
192.168.10.0/24 policy match dir in pol ipsec reqid 16385 proto esp
0 0 REJECT tcp -- any any anywhere
anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with
tcp-reset
1 51 DROP tcp -- any any anywhere
anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
33 5847 ACCEPT all -- eth0 any anywhere
anywhere state RELATED,ESTABLISHED
86 5963 ACCEPT all -- br0 any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere
anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
0 0 ACCEPT tcp -- eth0 any anywhere
anywhere tcp dpt:ssh
0 0 ACCEPT udp -- eth0 any anywhere
anywhere udp dpt:isakmp
0 0 ACCEPT esp -- eth0 any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 any 192.168.3.0/24
192.168.10.0/24 policy match dir in pol ipsec reqid 16385 proto esp
0 0 ACCEPT all -- any eth0 192.168.10.0/24
192.168.3.0/24 policy match dir out pol ipsec reqid 16385 proto esp
21 8890 ACCEPT all -- br0 any anywhere anywhere
21 1263 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
Chain OUTPUT (policy ACCEPT 22 packets, 3238 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any eth0 192.168.10.0/24
192.168.3.0/24 policy match dir out pol ipsec reqid 16385 proto esp
0 0 ACCEPT esp -- any eth0 anywhere anywhere
root at b3:~#
traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets
1 10.66.128.234 (10.66.128.234) 32.228 ms 53.222 ms 53.485 ms
2 10.66.128.237 (10.66.128.237) 53.873 ms 54.093 ms 54.477 ms
3 172.18.4.78 (172.18.4.78) 71.604 ms 172.18.4.82 (172.18.4.82) 54.282
ms 172.18.4.62 (172.18.4.62) 54.174 ms
4 172.18.72.66 (172.18.72.66) 53.930 ms 172.18.72.90 (172.18.72.90)
53.910 ms 172.18.72.98 (172.18.72.98) 53.802 ms
5 172.18.8.109 (172.18.8.109) 53.800 ms 172.18.8.105 (172.18.8.105)
53.742 ms 172.18.8.158 (172.18.8.158) 53.439 ms^C
2014/1/4 Ali Masoudi <masoudi1983 at gmail.com>
> Hi
>
> Did you disable "add routes" in strongswan.conf?
> By Default, Strongswan adds required route in table 220.
>
> If you disabled routing in SW, You have to route traffic to 192.168.3.0/24 via
> 109.56.142.204 interface to 5.103.136.156.
>
> Best wishes
> Ali
>
>
>
>
> On Fri, Jan 3, 2014 at 12:02 PM, Svend Høst <svend at hoest.nu> wrote:
>
>> Hi
>>
>> I'm having troubles getting packages routed over the tunnel. It seems
>> like that the iptables rules are somewhat purged, they reenter if i rebuild
>> the tunnel. but that dosn't help the routing issue.
>>
>> traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets
>> 1 10.66.55.18 (10.66.55.18) 43.438 ms 53.529 ms 53.742 ms
>> 2 10.66.55.17 (10.66.55.17) 53.857 ms 63.536 ms 63.482 ms^C
>>
>> root at b3:~# ipsec version
>> Linux strongSwan U4.4.1/K2.6.39.4-11
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil, Switzerland
>> See 'ipsec --copyright' for copyright information.
>>
>> root at b3:~# ipsec status net-net
>> 000 "net-net":
>> 192.168.10.0/24===109.56.142.204[hoest.myownb3.com]...5.103.136.156[192.168.3.1]===192.168.3.0/24<http://192.168.10.0/24===109.56.142.204%5Bhoest.myownb3.com%5D...5.103.136.156%5B192.168.3.1%5D===192.168.3.0/24>;
>> erouted; eroute owner: #4
>> 000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
>> 000
>> 000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 2246s; newest IPSEC; eroute owner
>> 000 #4: "net-net" esp.f755325f at 5.103.136.156 (0 bytes)
>> esp.2c39870c at 109.56.142.204 (0 bytes); tunnel
>> 000 #3: "net-net" STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 2164s; newest ISAKMP
>> 000
>>
>> root at b3:~# iptables -L -v
>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 REJECT tcp -- any any anywhere
>> anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with
>> tcp-reset
>> 0 0 DROP tcp -- any any anywhere
>> anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
>> 93 6801 ACCEPT all -- eth0 any anywhere
>> anywhere state RELATED,ESTABLISHED
>> 0 0 ACCEPT all -- br0 any anywhere
>> anywhere
>> 0 0 ACCEPT all -- lo any anywhere
>> anywhere
>> 0 0 ACCEPT icmp -- eth0 any anywhere
>> anywhere icmp time-exceeded
>> 0 0 ACCEPT icmp -- any any anywhere
>> anywhere icmp fragmentation-needed
>> 0 0 ACCEPT tcp -- eth0 any anywhere
>> anywhere tcp dpt:ssh
>> 0 0 ACCEPT udp -- eth0 any anywhere
>> anywhere udp dpt:isakmp
>> 0 0 ACCEPT esp -- eth0 any anywhere
>> anywhere
>>
>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT all -- br0 any anywhere
>> anywhere
>> 0 0 ACCEPT all -- any any anywhere
>> anywhere state RELATED,ESTABLISHED
>> 0 0 ACCEPT icmp -- any any anywhere
>> anywhere icmp fragmentation-needed
>>
>> Chain OUTPUT (policy ACCEPT 93 packets, 13864 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 0 0 ACCEPT esp -- any eth0 anywhere
>> anywhere
>> root at b3:~#
>>
>>
>>
>> Any thoughts ?
>>
>> Wkr.
>> Svend
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140105/475f4bc1/attachment.html>
More information about the Users
mailing list