[strongSwan] masquerade tunneled traffic

Christoph Henniger ch at henniger.info
Wed Apr 29 14:11:08 CEST 2015


Hi Noel,

I tried it the way you said without success. My new iptables rules are
listed below.

It looks like the vpn traffic bypass the netfilter completly? Is there a
system switch to turn filtering on?

Kind Regards,
Chris

# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 1449 packets, 84732 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 1426 packets, 81339 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 1302 packets, 92190 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 1302 packets, 92190 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  any    eth0    anywhere
anywhere             policy match dir out pol ipsec

2015-04-29 7:51 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Chris,
>
> That is because of this line:
>
> 0     0 ACCEPT     all  --  any    eth0    anywhere            !
> 10.0.0.0/24 <http://10.0.0.0/24>          policy match dir out pol ipsec
>
> I advise adjusting your MASQUERADE rule instead to except traffic with a
> matching IPsec policy from NAT.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.04.2015 um 18:26 schrieb ch+strongswan at henniger.info:
> > Hello,
> >
> > Hoping someone can help me:
> >
> > With the following LAN-LAN Setup
> > Server 10.2.0.0/24 <http://10.2.0.0/24> - 1.1.1.1 --- 2.2.2.2 -
> 10.0.0.0/24 <http://10.0.0.0/24> Client
> >
> > I try to route the whole traffic from client through the server with
> masqueraded traffic to the public net.
> >
> > tcpdump on server shows the traffic is routed but not masquerade.
> > (example from host (10.0.0.110) inside client net to public ip (
> www.heise.de <http://www.heise.de>))
> >
> > 17:45:47.871219 IP 10.0.0.110 > www.heise.de <http://www.heise.de>:
> ICMP echo request, id 20758, seq 6, length 64
> >
> > Thank you in advance for any advice.
> >
> > Chris
> >
> >
> > My Configuration:
> >
> > Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64
> GNU/Linux
> > StrongSwan 5.2.1-6
> >
> > # cat /etc/ipsec.conf
> > ---
> > config setup
> >
> > conn %default
> >         ikelifetime=60m
> >         keylife=20m
> >         rekeymargin=3m
> >         keyingtries=1
> >         authby=secret
> >         keyexchange=ike
> >         mobike=no
> >
> > conn divinus
> >         left=1.1.1.1
> >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> >         right=%any
> >         rightsubnet=10.0.0.0/24 <http://10.0.0.0/24>
> >         auto=add
> > ---
> >
> >
> > # ip xfrm policy
> > ---
> > src 10.0.0.0/24 <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24
> >
> >         dir fwd priority 2883 ptype main
> >         tmpl src 2.2.2.2 dst 1.1.1.1
> >                 proto esp reqid 1 mode tunnel
> > src 10.0.0.0/24 <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24
> >
> >         dir in priority 2883 ptype main
> >         tmpl src 2.2.2.2 dst 1.1.1.1
> >                 proto esp reqid 1 mode tunnel
> > src 10.2.0.0/24 <http://10.2.0.0/24> dst 10.0.0.0/24 <http://10.0.0.0/24
> >
> >         dir out priority 2883 ptype main
> >         tmpl src 1.1.1.1 dst 2.2.2.2
> >                 proto esp reqid 1 mode tunnel
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> >         socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> >         socket out priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> >         socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
> >         socket out priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket in priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket out priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket in priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket out priority 0 ptype main
> >
> >
> >
> > # route
> > Kernel-IP-Routentabelle
> > Ziel            Router          Genmask         Flags Metric Ref    Use
> Iface
> > default         1.1.1.1         0.0.0.0         UG    0      0        0
> eth0
> > 10.2.0.0        *               255.255.255.0   U     0      0        0
> eth0
> > 1.1.1.0         1.1.1.1         255.255.255.0   UG    0      0        0
> eth0
> > 1.1.1.0         *               255.255.255.0   U     0      0        0
> eth0
> >
> >
> >
> > # cat /proc/sys/net/ipv4/ip_forward
> > 1
> >
> >
> >
> > # iptables -L -v
> > ---
> > Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)
> >  pkts bytes target     prot opt in     out     source
>  destination
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
>  destination
> >
> > Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)
> >  pkts bytes target     prot opt in     out     source
>  destination
> > ---
> >
> >
> > # iptables -t nat -L -v
> > ---
> > Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)
> >  pkts bytes target     prot opt in     out     source
>  destination
> >
> > Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)
> >  pkts bytes target     prot opt in     out     source
>  destination
> >
> > Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)
> >  pkts bytes target     prot opt in     out     source
>  destination
> >
> > Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)
> >  pkts bytes target     prot opt in     out     source
>  destination
> >     0     0 ACCEPT     all  --  any    eth0    anywhere            !
> 10.0.0.0/24 <http://10.0.0.0/24>          policy match dir out pol ipsec
> >     0     0 LOG        all  --  any    eth0    anywhere            !
> 10.0.0.0/24 <http://10.0.0.0/24>          policy match dir out pol ipsec
> LOG level warning
> >  1709  121K MASQUERADE  all  --  any    eth0    anywhere            !
> 10.0.0.0/24 <http://10.0.0.0/24>
> > ---
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVQHFrAAoJEDg5KY9j7GZYHj8P/RibteAQMaxGS0gQYraQaWn4
> bdkX0RqAYygZY+okuCMo1LxTgZFcEtTm1bWS4ynTNq19SPSgmsRtyXGkJvH3NFO+
> Mrz4ezwr3LWtPRcNrp5twjfZwt/yw+Dk93BgW4CJkCiUVomBshzxY5Q1xvwFS11v
> /PTf89VmlJlzC6OL4ur//95Q4A/MPKuPmn8XiLHaB7kKvciM4TOezfkKNSNPhrZ8
> ZPIzGtNnkUtkPUX420hrFP87jriA1XsPkBlJmRC920dbQlVONusPc+KfKFbqTxND
> GLpAqmNNRk4zgj7qNm2QWuaYm2NEyCKQGBwloMQ0u+zhFJ4D1FR1AYlahwg5ddd2
> C5jU+rHIMFGokjrW9Q2R8DPwl/c1pxjeS2cXrAhoGj6Yj5rtndrc3m3guqUBQsCv
> Rh5L8VC4q5XaRK294fJWFm1oGFXYMx3SF1/wfPaNH2BPoyYYyNKtP00eSgcjn3j+
> GcnoFe2OCco74BtMQKq2pw8EOiogW+ijpMn7mHqElJVgi6TMXkeXsV52qWful5Br
> n5XEH4bIYoRs0MwVpe+ANQOl9czniaQKCwypuOm5ihUy/BM/LH3nzezp71cUsi7G
> 8wtG5k2MB5n7MsVnvNZM0BXlnivNZeYculLtEd3x9GK0LlOYsHUDrBcZ2PEwdL4V
> jQqqpDAVaBzr1QzTT/ft
> =IWVo
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150429/824a8aea/attachment-0001.html>


More information about the Users mailing list