[strongSwan] masquerade tunneled traffic
Noel Kuntze
noel at familie-kuntze.de
Wed Apr 29 07:51:41 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Chris,
That is because of this line:
0 0 ACCEPT all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24> policy match dir out pol ipsec
I advise adjusting your MASQUERADE rule instead to except traffic with a matching IPsec policy from NAT.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 27.04.2015 um 18:26 schrieb ch+strongswan at henniger.info:
> Hello,
>
> Hoping someone can help me:
>
> With the following LAN-LAN Setup
> Server 10.2.0.0/24 <http://10.2.0.0/24> - 1.1.1.1 --- 2.2.2.2 - 10.0.0.0/24 <http://10.0.0.0/24> Client
>
> I try to route the whole traffic from client through the server with masqueraded traffic to the public net.
>
> tcpdump on server shows the traffic is routed but not masquerade.
> (example from host (10.0.0.110) inside client net to public ip (www.heise.de <http://www.heise.de>))
>
> 17:45:47.871219 IP 10.0.0.110 > www.heise.de <http://www.heise.de>: ICMP echo request, id 20758, seq 6, length 64
>
> Thank you in advance for any advice.
>
> Chris
>
>
> My Configuration:
>
> Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64 GNU/Linux
> StrongSwan 5.2.1-6
>
> # cat /etc/ipsec.conf
> ---
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=secret
> keyexchange=ike
> mobike=no
>
> conn divinus
> left=1.1.1.1
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> right=%any
> rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
> auto=add
> ---
>
>
> # ip xfrm policy
> ---
> src 10.0.0.0/24 <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24>
> dir fwd priority 2883 ptype main
> tmpl src 2.2.2.2 dst 1.1.1.1
> proto esp reqid 1 mode tunnel
> src 10.0.0.0/24 <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24>
> dir in priority 2883 ptype main
> tmpl src 2.2.2.2 dst 1.1.1.1
> proto esp reqid 1 mode tunnel
> src 10.2.0.0/24 <http://10.2.0.0/24> dst 10.0.0.0/24 <http://10.0.0.0/24>
> dir out priority 2883 ptype main
> tmpl src 1.1.1.1 dst 2.2.2.2
> proto esp reqid 1 mode tunnel
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket in priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket out priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket in priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
> src ::/0 dst ::/0
> socket in priority 0 ptype main
> src ::/0 dst ::/0
> socket out priority 0 ptype main
>
>
>
> # route
> Kernel-IP-Routentabelle
> Ziel Router Genmask Flags Metric Ref Use Iface
> default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0
> 10.2.0.0 * 255.255.255.0 U 0 0 0 eth0
> 1.1.1.0 1.1.1.1 255.255.255.0 UG 0 0 0 eth0
> 1.1.1.0 * 255.255.255.0 U 0 0 0 eth0
>
>
>
> # cat /proc/sys/net/ipv4/ip_forward
> 1
>
>
>
> # iptables -L -v
> ---
> Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)
> pkts bytes target prot opt in out source destination
> ---
>
>
> # iptables -t nat -L -v
> ---
> Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24> policy match dir out pol ipsec
> 0 0 LOG all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24> policy match dir out pol ipsec LOG level warning
> 1709 121K MASQUERADE all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24>
> ---
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVQHFrAAoJEDg5KY9j7GZYHj8P/RibteAQMaxGS0gQYraQaWn4
bdkX0RqAYygZY+okuCMo1LxTgZFcEtTm1bWS4ynTNq19SPSgmsRtyXGkJvH3NFO+
Mrz4ezwr3LWtPRcNrp5twjfZwt/yw+Dk93BgW4CJkCiUVomBshzxY5Q1xvwFS11v
/PTf89VmlJlzC6OL4ur//95Q4A/MPKuPmn8XiLHaB7kKvciM4TOezfkKNSNPhrZ8
ZPIzGtNnkUtkPUX420hrFP87jriA1XsPkBlJmRC920dbQlVONusPc+KfKFbqTxND
GLpAqmNNRk4zgj7qNm2QWuaYm2NEyCKQGBwloMQ0u+zhFJ4D1FR1AYlahwg5ddd2
C5jU+rHIMFGokjrW9Q2R8DPwl/c1pxjeS2cXrAhoGj6Yj5rtndrc3m3guqUBQsCv
Rh5L8VC4q5XaRK294fJWFm1oGFXYMx3SF1/wfPaNH2BPoyYYyNKtP00eSgcjn3j+
GcnoFe2OCco74BtMQKq2pw8EOiogW+ijpMn7mHqElJVgi6TMXkeXsV52qWful5Br
n5XEH4bIYoRs0MwVpe+ANQOl9czniaQKCwypuOm5ihUy/BM/LH3nzezp71cUsi7G
8wtG5k2MB5n7MsVnvNZM0BXlnivNZeYculLtEd3x9GK0LlOYsHUDrBcZ2PEwdL4V
jQqqpDAVaBzr1QzTT/ft
=IWVo
-----END PGP SIGNATURE-----
More information about the Users
mailing list