[strongSwan] Strongswan NAT problem

Josh Madden jm at pfcta.com
Wed Aug 5 16:51:15 CEST 2015 

To anyone who can offer some assistance:

I have a pfsense appliance establishing an IPSEC tunnel to an Amazon AWS
EC2 Ubuntu box running StrongSwan 5.1.2. The goal is for LAN users of the
pfsense router appliance to have all their internet traffic tunneled to the
AWS EC2 box and then out to the internet. A system on the LAN of the
pfsense box can ping the IP of the Amazon EC2 box. The Amazon EC2 box can
also ping a system on the pfsense LAN. When a system on the pfsense LAN
tries to send traffic to the internet, I see the traffic show up in a
running tcpdump on the Amazon EC2 box, but the traffic seems to be getting
dropped. Watching logs from iptables, i can see that the traffic from the
IPSEC tunnel arrives at the PREROUTING table with its source address set to
the pfsense LAN. I've tried adding a number of iptables rules with little
success. Any assistance is greatly appreciated. Below is some configuration
data:

pfsense:
LAN subnet: 192.168.150.0/24

pfsense ipsec configuration:
key exchange version: v2
internet protocol: ipv4
interface: WAN
remote gateway: <public IP of Amazon EC2 box>
authentication method: mutual psk
my identifer: distinguished name: <DN>
peer identifier: distinguished name: <DN>
pre-shared key: *********************
phase 1:
encryption algorithm: aes 256
hash algorithm: sha 256
dh key group: 14
lifetime: 28800 seconds
advanced options:
NAT traversal: auto

35x phase2 entries, one for each subnet to be tunneled out to the internet:
protocol: esp

pfsense firewall rules are set to allow most traffic (it's behind an IDS
and firewall -- no blocked packets observed)

strongswan ipsec configuration:
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        cachecrls=yes
        uniqueids=yes
        charondebug="ike 0, knl 0, cfg 0, net 0, enc 0"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=20m
        keyingtries=1
        keyexchange=ikev2
        authby=secret
        esp=aes256-sha256

conn <DN>
        left=<pfsense public IP>
        leftid=<DN>
        leftfirewall=yes
        leftsubnet=192.168.150.0/24
        right=<AWS EC2 host IP>
        rightfirewall=yes
        rightid=<DNS>
        auto=add



AWS EC2 iptables
# Generated by iptables-save v1.4.21 on Wed Aug  5 13:43:07 2015
*nat
:PREROUTING ACCEPT [382:30387]
:INPUT ACCEPT [1:468]
:OUTPUT ACCEPT [4:248]
:POSTROUTING ACCEPT [15:842]
-N LOGGING
-N IPSEC_UNWRAPPED
-A PREROUTING -s 192.168.150.0/24 -j IPSEC_UNWRAPPED

-I INPUT 1 -j LOG --log-prefix "packet enter NAT-INPUT "
-I OUTPUT 1 -j LOG --log-prefix "packet enter NAT-OUTPUT "

-I POSTROUTING 1 -j LOG --log-prefix "packet enter POSTROUTING "
-A IPSEC_UNWRAPPED -j LOG --log-prefix "enter IPSEC_UNWRAPPED "
-A IPSEC_UNWRAPPED -s 192.168.150.0/24 -j ACCEPT

COMMIT
# Completed on Wed Aug  5 13:43:07 2015
# Generated by iptables-save v1.4.21 on Wed Aug  5 13:43:07 2015
*filter
:INPUT ACCEPT [324:39841]
:FORWARD ACCEPT [8:418]
:OUTPUT ACCEPT [301:64284]
:LOGGING - [0:0]
-A INPUT -s <pfsense public ip>/32 -d <amazon public ip>/32 -p udp --dport
4500 -j ACCEPT
-A INPUT -s<pfsense public ip> -d <amazon public ip>/32 -p tcp --dport 22
-j ACCEPT
-A INPUT -d <amazon public ip> -p icmp -j ACCEPT
-A INPUT -j LOGGING
-A FORWARD -j LOG --log-prefix "enter forward "
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOGGING
-A OUTPUT -s 172.31.17.50/32 -d <pfsense public ip>/32 -p udp --sport 4500
-j ACCEPT
-A OUTPUT -s 172.31.17.50/32 -d <pfsense public ip>/32 -p tcp --sport 22 -j
ACCEPT
-A OUTPUT -p icmp -d 8.8.8.8 -j LOG --log-prefix "icmp to google "
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150805/1245959e/attachment.html>

More information about the Users mailing list