[strongSwan] firewall issue?

Harald Dunkel harald.dunkel at aixigo.de
Fri Jul 1 15:48:38 CEST 2016 

Hi folks,

environment:
	IPsec gateway/firewall, Debian 8
	strongswan 5.4.0
	kernel 4.5.4-1~bpo8+1
	about 30 road warriors (OS X, iphones)
	IKEv1, IPv4 only, NAT at both sides

problem:

I see a number of DNS queries via IPsec blocked at the
internal firewall each day (apparently on the incoming
side eth0 pointing to the internet). Most of the queries
are not blocked, though.

Within the last month the percentage of blocked DNS
queries became worse. Much worse. Users started
complaining.

Sample:
:
Jul  1 14:56:55 gate1 kernel: [11376.265578] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.62 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=8365 PROTO=UDP SPT=53772 DPT=53 LEN=46
Jul  1 14:56:55 gate1 kernel: [11376.265606] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.62 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=9010 PROTO=UDP SPT=59360 DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.343540] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=3336 PROTO=UDP SPT=65510 DPT=53 LEN=47
Jul  1 15:04:21 gate1 kernel: [11822.343549] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=16828 PROTO=UDP SPT=65055 DPT=53 LEN=47
Jul  1 15:04:21 gate1 kernel: [11822.343933] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41728 PROTO=UDP SPT=49163 DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.343939] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=3549 PROTO=UDP SPT=54079 DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.393433] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=64135 PROTO=UDP SPT=64653 DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.393448] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=4824 PROTO=UDP SPT=60342 DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.393455] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=27700 PROTO=UDP SPT=54769 DPT=53 LEN=47
Jul  1 15:04:21 gate1 kernel: [11822.393461] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=17238 PROTO=UDP SPT=51462 DPT=53 LEN=47
Jul  1 15:04:25 gate1 kernel: [11825.955926] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.59 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=48167 PROTO=UDP SPT=55059 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11825.955939] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.59 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=22942 PROTO=UDP SPT=59174 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.071637] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=26638 PROTO=UDP SPT=50563 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.071651] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41367 PROTO=UDP SPT=62579 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.071944] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=39892 PROTO=UDP SPT=61569 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.072200] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=6242 PROTO=UDP SPT=59746 DPT=53 LEN=46
Jul  1 15:06:07 gate1 kernel: [11927.933124] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 DST=172.19.96.123 LEN=79 TOS=0x00 PREC=0x00 TTL=254 ID=25119 PROTO=UDP SPT=57108 DPT=53 LEN=59
Jul  1 15:06:07 gate1 kernel: [11927.933179] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 DST=172.19.96.123 LEN=79 TOS=0x00 PREC=0x00 TTL=254 ID=12174 PROTO=UDP SPT=51598 DPT=53 LEN=59
Jul  1 15:06:07 gate1 kernel: [11927.933422] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 DST=172.19.96.123 LEN=68 TOS=0x00 PREC=0x00 TTL=254 ID=16509 PROTO=UDP SPT=58484 DPT=53 LEN=48
Jul  1 15:06:07 gate1 kernel: [11927.933465] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 DST=172.19.96.123 LEN=68 TOS=0x00 PREC=0x00 TTL=254 ID=7646 PROTO=UDP SPT=61916 DPT=53 LEN=48
Jul  1 15:06:07 gate1 kernel: [11927.933505] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=20788 PROTO=UDP SPT=53271 DPT=53 LEN=47
Jul  1 15:09:45 gate1 kernel: [12146.056788] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.67 DST=172.19.96.123 LEN=63 TOS=0x00 PREC=0x00 TTL=254 ID=22379 PROTO=UDP SPT=65313 DPT=53 LEN=43
Jul  1 15:09:45 gate1 kernel: [12146.056806] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.67 DST=172.19.96.123 LEN=63 TOS=0x00 PREC=0x00 TTL=254 ID=60135 PROTO=UDP SPT=52471 DPT=53 LEN=43
Jul  1 15:10:28 gate1 kernel: [12189.111651] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=37592 PROTO=UDP SPT=57635 DPT=53 LEN=47
Jul  1 15:10:28 gate1 kernel: [12189.111665] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=38421 PROTO=UDP SPT=56817 DPT=53 LEN=46
Jul  1 15:19:29 gate1 kernel: [12730.187809] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=8935 PROTO=UDP SPT=63992 DPT=53 LEN=46
Jul  1 15:19:29 gate1 kernel: [12730.187820] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=47825 PROTO=UDP SPT=64264 DPT=53 LEN=46
Jul  1 15:19:29 gate1 kernel: [12730.188127] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=33733 PROTO=UDP SPT=51037 DPT=53 LEN=47
Jul  1 15:19:29 gate1 kernel: [12730.188140] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=54296 PROTO=UDP SPT=59694 DPT=53 LEN=47
Jul  1 15:23:52 gate1 kernel: [12993.250567] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=29862 PROTO=UDP SPT=57199 DPT=53 LEN=47
Jul  1 15:23:52 gate1 kernel: [12993.250577] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=2437 PROTO=UDP SPT=52012 DPT=53 LEN=47
Jul  1 15:23:52 gate1 kernel: [12993.250810] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=59470 PROTO=UDP SPT=63261 DPT=53 LEN=46
Jul  1 15:23:52 gate1 kernel: [12993.250817] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=46145 PROTO=UDP SPT=58775 DPT=53 LEN=46
:

How comes? Did I miss a config item "maximum number of
iptables entries" somewhere in the set of strongswan
config files?

Every helpful comment is highly appreciated.


Regards
Harri
-- 
aixigo AG, Karl-Friedrich-Strasse 68, 52072 Aachen, Germany
phone: +49 241 559709-79, fax: +49 241 559709-99
eMail: harald.dunkel at aixigo.de, web: http://www.aixigo.de
Amtsgericht Aachen - HRB 8057, Vorstand: Erich Borsch, Christian Friedrich, Tobias Haustein, Vors. des Aufsichtsrates: Prof. Dr. Ruediger von Nitzsch
-------------- next part --------------
config setup
	charondebug="dmn 1, mgr 1, ike 1, chd 1, cfg 1, net 1"

conn %default
	left		= gate1.example.com
	leftcert	= gate1.example.com.pem
	leftsendcert	= always
	leftsubnet	= 172.19.96.0/19,172.22.111.0/24,10.47.11.0/24,...
	leftfirewall	= yes
	ikelifetime	= 3h
	lifetime	= 1h
	rekey		= yes
        dpdaction       = none
        dpdtimeout      = 300s		# default: 150s, used for IKEv1 only
        dpddelay        = 60s		# default: 30s

#
# IKEv2 using RSA authentication
conn IPSec-IKEv2
	keyexchange	= ikev2
        ike             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
        esp             = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
	right		= %any
	rightauth	= pubkey
	rightsendcert	= ifasked
	rightsourceip	= %dhcp
	# fragmentation = yes
	auto		= add

#
# IKEv1 using xauth
conn CiscoIPSec
	keyexchange	= ikev1
	ike		= aes256-sha1-modp1536!
	esp		= aes256-sha1!
	rightauth	= pubkey
	right		= %any
	rightsourceip	= %dhcp
	rightauth2	= xauth
	auto		= add

More information about the Users mailing list