[strongSwan] Strongswan NAT problem

Noel Kuntze noel at familie-kuntze.de
Thu Aug 6 04:44:36 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Josh,

The tunnel only permits traffic between the PFsense box and 192.168.150.0/24, <http://192.168.150.0/24>
so of course it doesn't work.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 05.08.2015 um 16:51 schrieb Josh Madden:
> To anyone who can offer some assistance:
>
> I have a pfsense appliance establishing an IPSEC tunnel to an Amazon AWS EC2 Ubuntu box running StrongSwan 5.1.2. The goal is for LAN users of the pfsense router appliance to have all their internet traffic tunneled to the AWS EC2 box and then out to the internet. A system on the LAN of the pfsense box can ping the IP of the Amazon EC2 box. The Amazon EC2 box can also ping a system on the pfsense LAN. When a system on the pfsense LAN tries to send traffic to the internet, I see the traffic show up in a running tcpdump on the Amazon EC2 box, but the traffic seems to be getting dropped. Watching logs from iptables, i can see that the traffic from the IPSEC tunnel arrives at the PREROUTING table with its source address set to the pfsense LAN. I've tried adding a number of iptables rules with little success. Any assistance is greatly appreciated. Below is some configuration data:
>
> pfsense:
> LAN subnet: 192.168.150.0/24 <http://192.168.150.0/24>
>
> pfsense ipsec configuration:
> key exchange version: v2
> internet protocol: ipv4
> interface: WAN
> remote gateway: <public IP of Amazon EC2 box>
> authentication method: mutual psk
> my identifer: distinguished name: <DN>
> peer identifier: distinguished name: <DN>
> pre-shared key: *********************
> phase 1:
> encryption algorithm: aes 256
> hash algorithm: sha 256
> dh key group: 14
> lifetime: 28800 seconds
> advanced options:
> NAT traversal: auto
>
> 35x phase2 entries, one for each subnet to be tunneled out to the internet:
> protocol: esp
>
> pfsense firewall rules are set to allow most traffic (it's behind an IDS and firewall -- no blocked packets observed)
>
> strongswan ipsec configuration:
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>         cachecrls=yes
>         uniqueids=yes
>         charondebug="ike 0, knl 0, cfg 0, net 0, enc 0"
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=20m
>         keyingtries=1
>         keyexchange=ikev2
>         authby=secret
>         esp=aes256-sha256
>
> conn <DN>
>         left=<pfsense public IP>
>         leftid=<DN>
>         leftfirewall=yes
>         leftsubnet=192.168.150.0/24 <http://192.168.150.0/24>
>         right=<AWS EC2 host IP>
>         rightfirewall=yes
>         rightid=<DNS>
>         auto=add
>
>
>
> AWS EC2 iptables
> # Generated by iptables-save v1.4.21 on Wed Aug  5 13:43:07 2015
> *nat
> :PREROUTING ACCEPT [382:30387]
> :INPUT ACCEPT [1:468]
> :OUTPUT ACCEPT [4:248]
> :POSTROUTING ACCEPT [15:842]
> -N LOGGING
> -N IPSEC_UNWRAPPED
> -A PREROUTING -s 192.168.150.0/24 <http://192.168.150.0/24> -j IPSEC_UNWRAPPED
>
> -I INPUT 1 -j LOG --log-prefix "packet enter NAT-INPUT "
> -I OUTPUT 1 -j LOG --log-prefix "packet enter NAT-OUTPUT "
>
> -I POSTROUTING 1 -j LOG --log-prefix "packet enter POSTROUTING "
> -A IPSEC_UNWRAPPED -j LOG --log-prefix "enter IPSEC_UNWRAPPED "
> -A IPSEC_UNWRAPPED -s 192.168.150.0/24 <http://192.168.150.0/24> -j ACCEPT
>
> COMMIT
> # Completed on Wed Aug  5 13:43:07 2015
> # Generated by iptables-save v1.4.21 on Wed Aug  5 13:43:07 2015
> *filter
> :INPUT ACCEPT [324:39841]
> :FORWARD ACCEPT [8:418]
> :OUTPUT ACCEPT [301:64284]
> :LOGGING - [0:0]
> -A INPUT -s <pfsense public ip>/32 -d <amazon public ip>/32 -p udp --dport 4500 -j ACCEPT
> -A INPUT -s<pfsense public ip> -d <amazon public ip>/32 -p tcp --dport 22 -j ACCEPT
> -A INPUT -d <amazon public ip> -p icmp -j ACCEPT
> -A INPUT -j LOGGING
> -A FORWARD -j LOG --log-prefix "enter forward "
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -j LOGGING
> -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public ip>/32 -p udp --sport 4500 -j ACCEPT
> -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public ip>/32 -p tcp --sport 22 -j ACCEPT
> -A OUTPUT -p icmp -d 8.8.8.8 -j LOG --log-prefix "icmp to google "
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVwsoUAAoJEDg5KY9j7GZYJggP/iFvPmtFC1McMWzeUWIwad7o
SJ3XpmATEvrViTjFWTvheaKYJBPlw8qM2FuAITM4JadW2DbYSB5SlszUH3I1QdfS
5l6SJRdv6iBxYajN8wX4ATbx4ug3F+lf9gR8ZHfcqzeR0s8Ku1CuHrqE2/41210G
uR9Aj59yweXfxfZxkmszly2n7H3/YeyQM5R98kJIumFCwhW5Hn8Lb4gQa4e21VyH
eU5X2enCgtLe9CzzKDlGH1f81jIaEmPXOT849loajZ119xr+YkO2FobIgh5ZePC4
XLcPVMgqi8ZK9EKlVtkbhNN3MtcHHzms/FwZsbRzqBMPEPctkeUjGpS89UCtY3B0
wQMIyJ126L9MCkt0vefdWNCFwIlIICiV19Yx6so58/sMDhjzpXWgnydUL5Xr3kde
Ssn/vgle7MgmXHrPM+qaj1OKvz+9HpOclMNxFcSPsvgd91tBYFyoGZn36YYYF7XD
R6t8SoWk0nBrXkF8cHzYFKPI5ZH/T1pNQmkLLEczLkW+2s41uZ+QlFe2WBEeGQqu
01vY2kRszk4+zuGv7Eehpvi8EFa1ixq5Qx+NYzunatIv6neRFghRmxTdJUlqMdgK
pvpVj0ziZBL24vfGg7JLb1vtgiH757US+LjtacUbfGMIwjtq5dXiVEQfa9j0fEaK
4x83tDm5oY7+DXUKNugq
=yWzh
-----END PGP SIGNATURE-----

More information about the Users mailing list