[strongSwan] masquerade tunneled traffic
ch+strongswan at henniger.info
ch+strongswan at henniger.info
Mon Apr 27 18:26:39 CEST 2015
Hello,
Hoping someone can help me:
With the following LAN-LAN Setup
Server 10.2.0.0/24 - 1.1.1.1 --- 2.2.2.2 - 10.0.0.0/24 Client
I try to route the whole traffic from client through the server with
masqueraded traffic to the public net.
tcpdump on server shows the traffic is routed but not masquerade.
(example from host (10.0.0.110) inside client net to public ip (www.heise.de
))
17:45:47.871219 IP 10.0.0.110 > www.heise.de: ICMP echo request, id 20758,
seq 6, length 64
Thank you in advance for any advice.
Chris
My Configuration:
Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64
GNU/Linux
StrongSwan 5.2.1-6
# cat /etc/ipsec.conf
---
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ike
mobike=no
conn divinus
left=1.1.1.1
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=10.0.0.0/24
auto=add
---
# ip xfrm policy
---
src 10.0.0.0/24 dst 10.2.0.0/24
dir fwd priority 2883 ptype main
tmpl src 2.2.2.2 dst 1.1.1.1
proto esp reqid 1 mode tunnel
src 10.0.0.0/24 dst 10.2.0.0/24
dir in priority 2883 ptype main
tmpl src 2.2.2.2 dst 1.1.1.1
proto esp reqid 1 mode tunnel
src 10.2.0.0/24 dst 10.0.0.0/24
dir out priority 2883 ptype main
tmpl src 1.1.1.1 dst 2.2.2.2
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
# route
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use
Iface
default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0
10.2.0.0 * 255.255.255.0 U 0 0 0 eth0
1.1.1.0 1.1.1.1 255.255.255.0 UG 0 0 0 eth0
1.1.1.0 * 255.255.255.0 U 0 0 0 eth0
# cat /proc/sys/net/ipv4/ip_forward
1
# iptables -L -v
---
Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)
pkts bytes target prot opt in out source
destination
---
# iptables -t nat -L -v
---
Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- any eth0 anywhere !
10.0.0.0/24 policy match dir out pol ipsec
0 0 LOG all -- any eth0 anywhere !
10.0.0.0/24 policy match dir out pol ipsec LOG level warning
1709 121K MASQUERADE all -- any eth0 anywhere !
10.0.0.0/24
---
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150427/567b71b6/attachment-0001.html>
More information about the Users
mailing list