[strongSwan] IPTables rules for Strongswan gateway on Internet gateway

[Willem-Jan Meijer]

After a day of puzzling (what else to do on a stormy kind-of lazy day
off...) and things are working the way I want it to.

The current config:

IP addresses are assigned from the DHCP server on the VPN/Internethost.

Ipsec.conf:

	left=%any
	leftsubnet=0.0.0.0/0,::/0
	leftfirewall=yes
	
	right=%any
	rightsourceip=%dhcp

Relevant section in rc.firewall:

# IPSec connections

	$IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT
	$IPTABLES -A INPUT -p UDP --dport 4500 -j ACCEPT
	$IPTABLES -A INPUT -p ESP -j ACCEPT
	$IPTABLES -A INPUT -p 50 -j ACCEPT
	$IPTABLES -A INPUT -p 51 -j ACCEPT

	$IPTABLES -I INPUT -m policy --dir in --pol ipsec --proto esp -j
ACCEPT
	$IPTABLES -I FORWARD -m policy --dir in --pol ipsec --proto esp -j
ACCEPT
	$IPTABLES -I FORWARD -m policy --dir out --pol ipsec --proto esp -j
ACCEPT
	$IPTABLES -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j
ACCEPT

Seems I was making it WAY to complicated...attached you'll find the complete
files.

Kind regards,
Willem-Jan Meijer

-----Oorspronkelijk bericht-----
Van: Willem-Jan Meijer [mailto:rommelenjunk at computerdokter-groenlo.nl] 
Verzonden: maandag 30 november 2015 14:18
Aan: 'users at lists.strongswan.org'
Onderwerp: IPTables rules for Strongswan gateway on Internet gateway

Hello all,

Currently i'm using PPTPD as VPN-server which is working fine, but I want to
migrate to Strongswan IPSec to improve security.

I'll try to describe the situation:

-Debian server acting as internet gateway (router) with services like
iptables apache, postfix, ftp and so on.
	-eth0 is the WAN interface with an external IP-address proivded by
ISP, 92.108.xxx.xxx ($EXTIF, $EXTIP)
	-eth1 is the LAN interface with a static IP-address 192.168.50.1
($INTIF, $INTIP)

Behind eth1 there's a home network with Windows 7 clients which have
IP-addresses assigned by DHCP in the range 192.168.50.100 - 192.168.50.150
Roadwarriors connect to the Debian server. For example. The road warrior
running Windows 7 dials up to "home" and gets an IP-address in the range
192.168.50.234-192.168.238.
When I do ifconfig from the terminal, I see PPTPD bringing up ppp+ tunnel
devices

For PPTPD, I created the following IPTable-rules:


# Accept all packets via ppp* interfaces (for example, ppp0) $IPTABLES -A
INPUT -i ppp+ -j ACCEPT $IPTABLES -A OUTPUT -o ppp+ -j ACCEPT

# Accept incoming connections to port 1723 (PPTP) $IPTABLES -A INPUT -p tcp
--dport 1723 -j ACCEPT

# Accept GRE packets
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT

# Enable IP forwarding
$IPTABLES -F FORWARD
$IPTABLES -A FORWARD -j ACCEPT

# Enable NAT for eth0 и ppp* interfaces
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE $IPTABLES -A
POSTROUTING -t nat -o ppp+ -j MASQUERADE

With this configuration, roadwarriors are able to communicate with the home
LAN and use shared folders like they are at home, my main purpose of setting
up VPN.

Now i'm setting up Strongswan to achieve the same: LAN-browsing.

I ended up with the next configuration file:

# ipsec.conf - strongSwan IPsec configuration file

config setup
	# uniqueids=never
	charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
	keyexchange=ikev2
	
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-
sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp
4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2
56-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-m
odp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,a
es256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
	
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384
-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,a
es256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha
1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp204
8,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-
sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-mo
dp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha
1,aes256-sha384,aes256-sha256,aes256-sha1!
	dpdaction=clear
	dpddelay=300s
	rekey=no
	left=%any
	leftsubnet=0.0.0.0/0
	leftcert=vpnHostCert.pem
	leftid=@vpn.xxxxxxx.nl
	leftfirewall=yes
	right=%any
	rightsourceip=10.10.10.0/24
	rightsubnet=10.10.10.0/24
	rightdns=192.192.168.50.1
	
conn IPSec-IKEv2
	keyexchange=ikev2
	auto=add

conn IPSec-IKEv2-EAP
	also="IPSec-IKEv2"
	rightauth=eap-mschapv2
	rightsendcert=never
	eap_identity=%any
	auto=add

In the IPTables script, I added the following lines:

# IPSec connections

$IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT $IPTABLES -A INPUT -p UDP
--dport 4500 -j ACCEPT $IPTABLES -A INPUT -p ESP -j ACCEPT $IPTABLES -A
INPUT -p 50 -j ACCEPT $IPTABLES -A INPUT -p 51 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -m policy --dir
out --pol ipsec -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24
-o $EXTIF -j MASQUERADE

But from here, I get stuck. The road warrior is able to bring up the
connection, however, even a ping from the debian server fails. I suppose the
problem is in my IPTables-script but i'm not an IPTables master. Can someone
point me in the right direction to create the iptables rules to be able to
browse my lan from the road warriors?

Attached you will find the full iptables script and ipsec.conf file

Kind regards,
Willem-Jan Meijer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 1633 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151130/b387169d/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc.firewall
Type: application/octet-stream
Size: 5022 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151130/b387169d/attachment-0003.obj>