[strongSwan] masquerade tunneled traffic
Noel Kuntze
noel at familie-kuntze.de
Wed Apr 29 22:04:10 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Chris,
IPsec traffic passes through netfilter by default. There is no way to turn this off.
There is a graph[1] that describes the internal structure of netfilter.
It doesn't work because your NAT rule now applies to any traffic going out of
eth0 with a matching IPsec policy. Are you sure you want this?
I think you want the following:
NAT all traffic to the remote subnet of that IPsec tunnel that has a matching outbound IPsec policy
NAT all traffic without matching outbound IPsec policy that goes to your WAN
[1] http://inai.de/images/nf-packet-flow.png
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 29.04.2015 um 14:11 schrieb Christoph Henniger:
> Hi Noel,
>
> I tried it the way you said without success. My new iptables rules are listed below.
>
> It looks like the vpn traffic bypass the netfilter completly? Is there a system switch to turn filtering on?
>
> Kind Regards,
> Chris
>
> # iptables -L -v -t nat
> Chain PREROUTING (policy ACCEPT 1449 packets, 84732 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain INPUT (policy ACCEPT 1426 packets, 81339 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 1302 packets, 92190 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 1302 packets, 92190 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 MASQUERADE all -- any eth0 anywhere anywhere policy match dir out pol ipsec
>
> 2015-04-29 7:51 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>:
>
>
> Hello Chris,
>
> That is because of this line:
>
> 0 0 ACCEPT all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> policy match dir out pol ipsec
>
> I advise adjusting your MASQUERADE rule instead to except traffic with a matching IPsec policy from NAT.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.04.2015 um 18:26 schrieb ch+strongswan at henniger.info <mailto:ch%2Bstrongswan at henniger.info>:
> > Hello,
>
> > Hoping someone can help me:
>
> > With the following LAN-LAN Setup
> > Server 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24> - 1.1.1.1 --- 2.2.2.2 - 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> Client
>
> > I try to route the whole traffic from client through the server with masqueraded traffic to the public net.
>
> > tcpdump on server shows the traffic is routed but not masquerade.
> > (example from host (10.0.0.110) inside client net to public ip (www.heise.de <http://www.heise.de> <http://www.heise.de>))
>
> > 17:45:47.871219 IP 10.0.0.110 > www.heise.de <http://www.heise.de> <http://www.heise.de>: ICMP echo request, id 20758, seq 6, length 64
>
> > Thank you in advance for any advice.
>
> > Chris
>
>
> > My Configuration:
>
> > Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64 GNU/Linux
> > StrongSwan 5.2.1-6
>
> > # cat /etc/ipsec.conf
> > ---
> > config setup
>
> > conn %default
> > ikelifetime=60m
> > keylife=20m
> > rekeymargin=3m
> > keyingtries=1
> > authby=secret
> > keyexchange=ike
> > mobike=no
>
> > conn divinus
> > left=1.1.1.1
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > right=%any
> > rightsubnet=10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> > auto=add
> > ---
>
>
> > # ip xfrm policy
> > ---
> > src 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24>
> > dir fwd priority 2883 ptype main
> > tmpl src 2.2.2.2 dst 1.1.1.1
> > proto esp reqid 1 mode tunnel
> > src 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24>
> > dir in priority 2883 ptype main
> > tmpl src 2.2.2.2 dst 1.1.1.1
> > proto esp reqid 1 mode tunnel
> > src 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24> dst 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> > dir out priority 2883 ptype main
> > tmpl src 1.1.1.1 dst 2.2.2.2
> > proto esp reqid 1 mode tunnel
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket out priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> > socket out priority 0 ptype main
> > src ::/0 dst ::/0
> > socket in priority 0 ptype main
> > src ::/0 dst ::/0
> > socket out priority 0 ptype main
> > src ::/0 dst ::/0
> > socket in priority 0 ptype main
> > src ::/0 dst ::/0
> > socket out priority 0 ptype main
>
>
>
> > # route
> > Kernel-IP-Routentabelle
> > Ziel Router Genmask Flags Metric Ref Use Iface
> > default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0
> > 10.2.0.0 * 255.255.255.0 U 0 0 0 eth0
> > 1.1.1.0 1.1.1.1 255.255.255.0 UG 0 0 0 eth0
> > 1.1.1.0 * 255.255.255.0 U 0 0 0 eth0
>
>
>
> > # cat /proc/sys/net/ipv4/ip_forward
> > 1
>
>
>
> > # iptables -L -v
> > ---
> > Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)
> > pkts bytes target prot opt in out source destination
>
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source destination
>
> > Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)
> > pkts bytes target prot opt in out source destination
> > ---
>
>
> > # iptables -t nat -L -v
> > ---
> > Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)
> > pkts bytes target prot opt in out source destination
>
> > Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)
> > pkts bytes target prot opt in out source destination
>
> > Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)
> > pkts bytes target prot opt in out source destination
>
> > Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)
> > pkts bytes target prot opt in out source destination
> > 0 0 ACCEPT all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> policy match dir out pol ipsec
> > 0 0 LOG all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> policy match dir out pol ipsec LOG level warning
> > 1709 121K MASQUERADE all -- any eth0 anywhere !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> > ---
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVQTk3AAoJEDg5KY9j7GZYFKUP/15g82cRfTw8NuZtYMnVrZ/O
LcV1qfWua08nscFcLgntzBS7x1PwOyii2DwUYfYND4iERkZfDCQhYiJErP4fa4Kd
Uv7eMdFNX8UUSJEHXdJxpDR4qLcZpnq/m9vWpWrQA5GMUxwattyZbIR28Rrp5QXI
1k1O8ZSAcjYSPOeWSaPMDbCIRAOQS282GWrK/0dRXIZAjJHX55bG/J2EVOm9Aigi
56d3DEXU/QhfVAbi5pgmiqkgmmHaJMJf4fLcg02d9rtEKtaobZGSC25aNQ3/HoZe
wRjNbMcmB25sWLvq1EIvUbhkbvraAd6v/ECKzVqabhMQMn2ex003yLfoxdnmBT1C
4mmMAMEMllI4di+WcvQ0goXaMnXteF+/YcmMWlP53k5pdBJeSOYUx3u1OmmjZekd
AadfascnaXqxhJXxJu6bwKh6F7AcY2JeBd5uKzQNRC11S4Lr/yx3kyBkanT66rsl
8EMaHOQo65hbM9r0U257i1QKsyn0OziWkx12e9bqkWMyPTaEel+OcyrIp1Hc0KMp
UHRET8a0TVEds5HlV15DIVYRcoPPc0vJK6Rb8tunXawxaaDRPa52NVS6znK/M1kg
+z9kFjCEQIxMWPi6elvl0iO53nlwEY2MTVd+iMSgJNKPoELJvWC3j4h8HQgZQnUV
Xzkl4YL/nYtQ4+qd/oKq
=JeZl
-----END PGP SIGNATURE-----
More information about the Users
mailing list