[strongSwan] Problems with internal routing on vpn server

Noel Kuntze noel at familie-kuntze.de
Sun Feb 15 18:46:23 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Marc,

You have a lot of errors in your configuration.

    *get rid of "type=passthrough" in conn %default of ipsec.conf.
    *remove leftsourceip=192.167.147.1
    *leftsourceip=192.167.147.1
    *replace all your long esp and ike lines with what you actually want to do:
      a ! at the end of the line restricts the proposal to the listed ciphers while omitting it adds them to
      the default proposal list.

Your firewall rules screw up the forwarding between the VPN clients and make it unusable.

You need to except traffic from your IPsec clients to other IPsec clients from NAT.
Use the "policy" match module of iptables to implement it.

Your firewall settings currently do not protect your clients from unwanted traffic from the internet.
Please implement this using advise from [1].

Furthermore, you use 192.167.0.0/16 subnets, which are not part of the RFC1918[2] address space!
The IANA strongly suggest that you solely use private address ranges as listed in RFC1918[2]!

[1] https://github.com/QueuingKoala/netfilter-samples
[2] https://tools.ietf.org/html/rfc1918

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 15.02.2015 um 14:03 schrieb Marc Eckel:
>
> Hello,
>
> I have set up an vpn environment
>
> [Internet]----[publicip] vpn server [192.167.147.1]  ----- [192.167.147.2] Android1
>
>                                                                                                      |-----[192.168.147.3] Android2
>
>                                                                                                      |---- [192.167.145.0/24] [fritzboxm]
>
> 
>
> So far each connection is established and Android1 and Android2 can access the internet via vpn and can ping the vpn server. Unfortunately I cannot ping between the vpn clients and from and to fritzboxm. Has anybody any idea what might be wrong with my configuration?
>
> 
>
> Kind regards
>
> Marc
>
> 
>
> 
>
> 
>
> 
>
> Strongswan config:
>
> # strongswan.conf - strongSwan configuration file
>
> 
>
> charon {
>
> 
>
> # number of worker threads in charon
>
> threads = 16
>
> 
>
> # send strongswan vendor ID?
>
> # send_vendor_id = yes
>
> dns1 = 8.8.4.4
>
> dns2 = 8.8.8.8
>
> nbns1 = 192.167.145.50
>
> nbns1 = 192.167.144.1
>
> 
>
> plugins {
>
> 
>
> sql {
>
> # loglevel to log into sql database
>
> loglevel = -1
>
> 
>
> # URI to the database
>
> # database = sqlite:///path/to/file.db
>
> # database = mysql://user:password@localhost/database
>
> }
>
> }
>
> 
>
> # ...
>
> }
>
> 
>
> pluto {
>
> 
>
> }
>
> 
>
> libstrongswan {
>
> #  set to no, the DH exponent size is optimized
>
> #  dh_exponent_ansi_x9_42 = no
>
> }
>
> 
>
> 
>
> Ipsec.conf
>
> 
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> 
>
> # basic configuration
>
> 
>
> config setup
>
> # plutodebug=all
>
> # crlcheckinterval=600
>
> # strictcrlpolicy=yes
>
> # cachecrls=yes
>
> # nat_traversal=yes
>
> # uniqueids=no
>
> charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> 
>
> conn %default
>
> keyexchange=ike
>
> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
>
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
>
> dpdaction=clear
>
> dpddelay=300s
>
> rekey=no
>
> reauth=yes
>
> leftfirewall=yes
>
> rightfirewall=yes
>
> lefthostaccess=yes
>
> righthostaccess=yes
>
> type=passthrough
>
> 
>
> conn Android1
>
> left=[public_ip]
>
> leftsourceip=192.167.147.1
>
> leftid="C=DE, O=[domainname], CN=[domainname].de"
>
> leftsubnet=0.0.0.0/0
>
> leftauth=pubkey
>
> leftcert=vpnHostCert.pem
>
> right=%any
>
> rightid="C=DE, O=[domainname], CN=Android1@[domainname].de <mailto:CN=Android1@[domainname].de>"
>
> rightsourceip=192.167.147.2
>
> rightauth=pubkey
>
> rightauth2=eap-mschapv2
>
> eap_identity=%any
>
> auto=add
>
> 
>
> conn Android2
>
> left=[public_ip]
>
> leftid="C=DE, O=[domainname], CN=[domainname].de"
>
> leftsubnet=0.0.0.0/0
>
> leftauth=pubkey
>
> leftcert=vpnHostCert.pem
>
> right=%any
>
> rightid="C=DE, O=[domainname], CN=Android2@[domainname].de <mailto:CN=Android2@[domainname].de>"
>
> rightsourceip=192.167.147.3
>
> rightauth=pubkey
>
> rightauth2=eap-mschapv2
>
> #rightsendcert=never   # see note
>
> eap_identity=%any
>
> auto=add
>
> 
>
> 
>
> conn fritzboxm
>
> leftsourceip=192.167.147.1
>
> ikelifetime=3600s
>
> leftauth=psk
>
> rightauth=psk
>
> left=[public_ip]
>
> leftsubnet=192.167.144.0/24,192.167.147.0/24
>
> right=%[dynip]
>
> rightallowany = yes
>
> rightid="@ dynip "
>
> rightsubnet=192.167.145.0/24
>
> auto=add
>
> 
>
> *F*irewall Rules
>
> 
>
> # Set default policies for all three default chains
>
> iptables -P INPUT ACCEPT
>
> iptables -P FORWARD ACCEPT
>
> iptables -P OUTPUT ACCEPT
>
> 
>
> # VPN NAT
>
> # Ensure that all packets destined for local addresses start at our local address
>
> # iptables -t nat -A POSTROUTING --src 192.167.144.0/22  --dst 192.167.144.0/22 -j SNAT --to-source 192.167.147.1
>
> # iptables -t nat -A POSTROUTING ! --src 192.167.144.0/22  --dst 192.167.144.0/22 -j SNAT --to-source 192.167.147.1
>
> 
>
> # Ensure that all packets destined for the Internet start at our public address
>
> iptables -t nat -A POSTROUTING --src 192.167.144.0/22 ! --src 192.167.144.0/22 ! -p esp -j SNAT --to-source [public_ip]
>
> 
>
> # iptables -t nat -A POSTROUTING -s 192.167.144.0/22 -o eth0 -j MASQUERADE
>
> iptables -t nat -A POSTROUTING -s 192.167.144.0/22 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
>
> # iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source [public_ip]
>
> 
>
> # Enable free use of loopback interfaces
>
> iptables -A INPUT -i lo -j ACCEPT
>
> iptables -A OUTPUT -o lo -j ACCEPT
>
> 
>
> iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>
> 
>
> # Accept limited inbound ICMP messages
>
> iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set
>
> iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update --seconds 5 --hitcount 10 -j DROP
>
> iptables -A INPUT -p icmp -j ACCEPT
>
> 
>
> Routing (interface)
>
> 
>
> # This file describes the network interfaces available on your system
>
> # and how to activate them. For more information, see interfaces(5).
>
> 
>
> # The loopback network interface
>
> auto lo
>
> iface lo inet loopback
>
> 
>
> # The primary network interface
>
> auto eth0
>
> iface eth0 inet static
>
> address [public_ip]
>
> netmask 255.255.255.128
>
> network 185.11.136.0
>
> broadcast 185.11.136.127
>
> gateway 185.11.136.1
>
> # dns-* options are implemented by the resolvconf package, if installed
>
> dns-nameservers 95.129.51.50 8.8.8.8 95.129.53.235
>
> dns-search customer.xenway.de
>
> auto eth0:1
>
> iface eth0:1 inet static
>
> address 192.167.147.1
>
> gateway 192.167.147.1
>
> netmask 255.255.255.0
>
> up ip route add 192.167.144.0/22 via 192.167.147.1 || true
>
> 
>
> 
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU4NtsAAoJEDg5KY9j7GZYJ4MP/RcAtEeiDDitoIbNxEmyJ/XP
zRDk6saM9Lkn8AOElP9uqThSH5UAGwyEnEiuS3uzqG22SeXIa+qP5S0bD/rio2e6
H2++6n0bbeP1nnmXy55LzLPwjimwu1mLERTVCCMqd9jDoixFl3QXeP/Y8jZRZOH2
eTfSZxVft9QmSro0QXabTW4j2v5rEVu6KwIG62mxszw+Kb/LS4zNhlidDEEJYt0F
Zq1+NA9L2hGP6Ezl1NQRHD2nDEmKsBVeljFdPJjDcf0qET9gFk1FPVpUy022t1pz
G867E40N5nRMfoyZ3BwhVFuoNdgZUbhGuboLJblJAf4zGzvLUh6uAIweQcfYcUoQ
rk/rU1jnOE7R8+SWgvQLkayWAAvHFa/H+X60/HT3Ns36zj4ZWbMNKMYoI3lB7149
Kaod/w7lUTHsXRvIByxzs8rztl7CRiHTwjuKKQINWuKfjK+McQPqhWqpSPjMEvy3
9Wgo+DU6oTBXZ7XjVVtGjRyG6FfcOAZ0BYQ3LCcVmV2nuxR1s4TvI+4kKkVkgnWB
woZO3wwgEljS5q8BHlUXDtJP4oWNzWhTxB6T4ebolIc6Cf3L1oFLTSzNJN9tRcOp
aWJ/6Sj5bGqfMGjgHJ59eFBGLfFUnSx8fdOLYyigC0LxxQu0evyt5QxSPAA95FbQ
WsgdV6aNGXN1Ghg5R+Ta
=g/rw
-----END PGP SIGNATURE-----

More information about the Users mailing list