[strongSwan] Customizing routing

Mirko Parthey mirko.parthey at web.de
Wed Dec 16 14:32:01 CET 2015 

On Sun, Dec 13, 2015 at 10:55:46PM +0100, Jan Palus wrote:
> With kernel-netlink however I can achieve higher throughput with less
> CPU being used, but in that case SNAT seems to fail sometimes
> (connections are initiated correctly but "hang" after a while). Main
> difference is the lack of dedicated interface so routing customization
> is not required, but below SNAT rule seems to result in hanging
> connections:
> 
> iptables -t nat -A POSTROUTING -o WAN -d A,B -j SNAT --to-source <virtual-ip>

If you have set option masq for your WAN zone (set by default),
the autogenerated MASQUERADE rule takes priority over your SNAT rule,
assuming you entered it into /etc/firewall.user or have it generated
by an updown script.
VPN traffic is then erroneously mapped to the IP address of the WAN
interface instead of the IPsec virtual IP, and does not match the
tunnel's policy anymore.

You should insert your SNAT as the first rule in the POSTROUTING chain,
or restrict the scope of the WAN MASQUERADE to non-IPsec traffic.

It is also possible to achieve the same result through uci, without
manually inserting netfilter rules. I'll include parts of my OpenWrt
config below to illustrate this (OpenWrt 15.05, CHAOS CALMER).

Regards,
Mirko

------------------------------------------------------------------------

# /etc/config/firewall
config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT
	option extra_src	"-m policy --dir in --pol none"
	option extra_dest	"-m policy --dir out --pol none"

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option extra_src	"-m policy --dir in --pol none"
	option extra_dest	"-m policy --dir out --pol none"
	option masq		1
	option mtu_fix		1

config zone
	option name		vpn
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option subnet		192.168.178.0/24
	option extra_src	"-m policy --dir in --pol ipsec --proto esp"
	option extra_dest	"-m policy --dir out --pol ipsec --proto esp"
	option conntrack	1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

config forwarding
	option src		lan
	option dest		vpn

config rule
	option name		Allow-VPN-TCP-some
	option src		vpn
	option dest		lan
	option dest_port	"22 80 443"
	option proto		tcp
	option target		ACCEPT

config rule
	option name		Allow-VPN-ping
	option src		vpn
	option dest		lan
	option proto		icmp
	option icmp_type	echo-request
	option target		ACCEPT

# Accept IPsec for OpenWrt gateway (input)
config rule
	option name		Allow-IKE-input
	option src		wan
	option proto		udp
	option dest_port	"500 4500"
	option target		ACCEPT

config rule
	option name		Allow-ESP-input
	option src		wan
	option proto		esp
	option target		ACCEPT

More information about the Users mailing list