[strongSwan] masquerade tunneled traffic

Noel Kuntze noel at familie-kuntze.de
Wed Apr 29 22:04:10 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Chris,

IPsec traffic passes through netfilter by default. There is no way to turn this off.
There is a graph[1] that describes the internal structure of netfilter.

It doesn't work  because your NAT rule now applies to any traffic going out of
eth0 with a matching IPsec policy. Are you sure you want this?
I think you want the following:

NAT all traffic to the remote subnet of that IPsec tunnel that has a matching outbound IPsec policy
NAT all traffic without matching outbound IPsec policy that goes to your WAN

[1] http://inai.de/images/nf-packet-flow.png

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 29.04.2015 um 14:11 schrieb Christoph Henniger:
> Hi Noel,
>
> I tried it the way you said without success. My new iptables rules are listed below.
>
> It looks like the vpn traffic bypass the netfilter completly? Is there a system switch to turn filtering on?
>
> Kind Regards,
> Chris
>
> # iptables -L -v -t nat
> Chain PREROUTING (policy ACCEPT 1449 packets, 84732 bytes)
>  pkts bytes target     prot opt in     out     source               destination        
>
> Chain INPUT (policy ACCEPT 1426 packets, 81339 bytes)
>  pkts bytes target     prot opt in     out     source               destination        
>
> Chain OUTPUT (policy ACCEPT 1302 packets, 92190 bytes)
>  pkts bytes target     prot opt in     out     source               destination        
>
> Chain POSTROUTING (policy ACCEPT 1302 packets, 92190 bytes)
>  pkts bytes target     prot opt in     out     source               destination        
>     0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere             policy match dir out pol ipsec
>
> 2015-04-29 7:51 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>:
>
>
> Hello Chris,
>
> That is because of this line:
>
> 0     0 ACCEPT     all  --  any    eth0    anywhere            !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>          policy match dir out pol ipsec
>
> I advise adjusting your MASQUERADE rule instead to except traffic with a matching IPsec policy from NAT.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 27.04.2015 um 18:26 schrieb ch+strongswan at henniger.info <mailto:ch%2Bstrongswan at henniger.info>:
> > Hello,
>
> > Hoping someone can help me:
>
> > With the following LAN-LAN Setup
> > Server 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24> - 1.1.1.1 --- 2.2.2.2 - 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> Client
>
> > I try to route the whole traffic from client through the server with masqueraded traffic to the public net.
>
> > tcpdump on server shows the traffic is routed but not masquerade.
> > (example from host (10.0.0.110) inside client net to public ip (www.heise.de <http://www.heise.de> <http://www.heise.de>))
>
> > 17:45:47.871219 IP 10.0.0.110 > www.heise.de <http://www.heise.de> <http://www.heise.de>: ICMP echo request, id 20758, seq 6, length 64
>
> > Thank you in advance for any advice.
>
> > Chris
>
>
> > My Configuration:
>
> > Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64 GNU/Linux
> > StrongSwan 5.2.1-6
>
> > # cat /etc/ipsec.conf
> > ---
> > config setup
>
> > conn %default
> >         ikelifetime=60m
> >         keylife=20m
> >         rekeymargin=3m
> >         keyingtries=1
> >         authby=secret
> >         keyexchange=ike
> >         mobike=no
>
> > conn divinus
> >         left=1.1.1.1
> >         leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >         right=%any
> >         rightsubnet=10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> >         auto=add
> > ---
>
>
> > # ip xfrm policy
> > ---
> > src 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24>
> >         dir fwd priority 2883 ptype main
> >         tmpl src 2.2.2.2 dst 1.1.1.1
> >                 proto esp reqid 1 mode tunnel
> > src 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> dst 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24>
> >         dir in priority 2883 ptype main
> >         tmpl src 2.2.2.2 dst 1.1.1.1
> >                 proto esp reqid 1 mode tunnel
> > src 10.2.0.0/24 <http://10.2.0.0/24> <http://10.2.0.0/24> dst 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> >         dir out priority 2883 ptype main
> >         tmpl src 1.1.1.1 dst 2.2.2.2
> >                 proto esp reqid 1 mode tunnel
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >         socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >         socket out priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >         socket in priority 0 ptype main
> > src 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> >         socket out priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket in priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket out priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket in priority 0 ptype main
> > src ::/0 dst ::/0
> >         socket out priority 0 ptype main
>
>
>
> > # route
> > Kernel-IP-Routentabelle
> > Ziel            Router          Genmask         Flags Metric Ref    Use Iface
> > default         1.1.1.1         0.0.0.0         UG    0      0        0 eth0
> > 10.2.0.0        *               255.255.255.0   U     0      0        0 eth0
> > 1.1.1.0         1.1.1.1         255.255.255.0   UG    0      0        0 eth0
> > 1.1.1.0         *               255.255.255.0   U     0      0        0 eth0
>
>
>
> > # cat /proc/sys/net/ipv4/ip_forward
> > 1
>
>
>
> > # iptables -L -v
> > ---
> > Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)
> >  pkts bytes target     prot opt in     out     source               destination
>
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source               destination
>
> > Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)
> >  pkts bytes target     prot opt in     out     source               destination
> > ---
>
>
> > # iptables -t nat -L -v
> > ---
> > Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)
> >  pkts bytes target     prot opt in     out     source               destination
>
> > Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)
> >  pkts bytes target     prot opt in     out     source               destination
>
> > Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)
> >  pkts bytes target     prot opt in     out     source               destination
>
> > Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)
> >  pkts bytes target     prot opt in     out     source               destination
> >     0     0 ACCEPT     all  --  any    eth0    anywhere            !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>          policy match dir out pol ipsec
> >     0     0 LOG        all  --  any    eth0    anywhere            !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>          policy match dir out pol ipsec LOG level warning
> >  1709  121K MASQUERADE  all  --  any    eth0    anywhere            !10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> > ---
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVQTk3AAoJEDg5KY9j7GZYFKUP/15g82cRfTw8NuZtYMnVrZ/O
LcV1qfWua08nscFcLgntzBS7x1PwOyii2DwUYfYND4iERkZfDCQhYiJErP4fa4Kd
Uv7eMdFNX8UUSJEHXdJxpDR4qLcZpnq/m9vWpWrQA5GMUxwattyZbIR28Rrp5QXI
1k1O8ZSAcjYSPOeWSaPMDbCIRAOQS282GWrK/0dRXIZAjJHX55bG/J2EVOm9Aigi
56d3DEXU/QhfVAbi5pgmiqkgmmHaJMJf4fLcg02d9rtEKtaobZGSC25aNQ3/HoZe
wRjNbMcmB25sWLvq1EIvUbhkbvraAd6v/ECKzVqabhMQMn2ex003yLfoxdnmBT1C
4mmMAMEMllI4di+WcvQ0goXaMnXteF+/YcmMWlP53k5pdBJeSOYUx3u1OmmjZekd
AadfascnaXqxhJXxJu6bwKh6F7AcY2JeBd5uKzQNRC11S4Lr/yx3kyBkanT66rsl
8EMaHOQo65hbM9r0U257i1QKsyn0OziWkx12e9bqkWMyPTaEel+OcyrIp1Hc0KMp
UHRET8a0TVEds5HlV15DIVYRcoPPc0vJK6Rb8tunXawxaaDRPa52NVS6znK/M1kg
+z9kFjCEQIxMWPi6elvl0iO53nlwEY2MTVd+iMSgJNKPoELJvWC3j4h8HQgZQnUV
Xzkl4YL/nYtQ4+qd/oKq
=JeZl
-----END PGP SIGNATURE-----




More information about the Users mailing list