[strongSwan] Tunnel traffic transparently through roadwarrior connection
Boris Wickner
bwcknr at gmail.com
Sun Jun 26 13:14:59 CEST 2016
Hi list,
while configuring my roadwarrior device I stumbled upon some problems.
I am trying to archive the following scenario:
*) vpn gateway is up and running at home
*) roadwarrior should be a nat gateway transparently tunneling all traffic
through vpn connection
So basically my configuration works. The roadwarrior device is up and
running
and traffic originating at the host itself is properly tunneled through vpn.
The roadwarrior is configured for forwarding and masquerading traffic from
local
subnet. Traffic is masqueraded and world is reachable, but it is _not_
tunneled
through running vpn.
Configuration as follows:
swanctl.conf:
connections {
home {
version = 1
remote_addrs = <REMOTE_FQDN>
proposals = aes256-sha1-modp1024
vips = 0.0.0.0
unique = keep
local-psk {
auth = psk
id = <LOCAL_ID>
}
local-xauth {
auth = xauth
xauth_id = <LOCAL_ID>
}
remote-psk {
auth = psk
}
children {
home {
esp_proposals = aes256-sha1
remote_ts = 0.0.0.0/0
updown = /usr/lib/strongswan/_updown
iptables
dpd_action = restart
start_action = start
}
}
}
local {
local {
}
children {
local-lan {
local_ts = <LOCAL_SUBNET>
remote_ts = <LOCAL_SUBNET>
mode = pass
start_action = trap
}
}
}
}
secrets {
ike {
secret = <PASS>
}
xauth {
secret = <PASS>
}
}
swanctl -l:
home: #1, ESTABLISHED, IKEv1, 918dd087d170153e:8b9da69955d37fc5
local '<LOCAL_ID>' @ 192.168.0.101[4500] [<LOCAL_VIRTUAL_IP>]
remote '<REMOTE_IP>' @ <REMOTE_IP>[4500]
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 6026s ago, rekeying in 7589s
home: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
installed 2486s ago, rekeying in 877s, expires in 1474s
in c85aea35, 52214 bytes, 237 packets, 15s ago
out f13cbd5e, 19363 bytes, 332 packets, 15s ago
local <LOCAL_VIRTUAL_IP>/32
remote 0.0.0.0/0
ip xfrm state:
src 192.168.0.101 dst <REMOTE_IP>
proto esp spi 0xf13cbd5e reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x188f0ce352e43226f8f363fd18bcc88e5a04b7db 96
enc cbc(aes)
0x928a4ff50567fc6ecc65a3740d67208cb9492ec428c0ea60997e26c9ccbdd4ee
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x145, bitmap 0x00000000
src <REMOTE_IP> dst 192.168.0.101
proto esp spi 0xc85aea35 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x978c54b6651de45aa632d72e3c66d9831a40d19b 96
enc cbc(aes)
0xaf25b1d34af7aaea213076ccdc785388463e6c690025e414d56ac8d918e83e85
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xe8, oseq 0x0, bitmap 0xffffffff
ip xfrm policy:
src 0.0.0.0/0 dst <LOCAL_VIRTUAL_IP>/32
dir fwd priority 2947 ptype main
tmpl src <REMOTE_IP> dst 192.168.0.101
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst <LOCAL_VIRTUAL_IP>/32
dir in priority 2947 ptype main
tmpl src <REMOTE_IP> dst 192.168.0.101
proto esp reqid 1 mode tunnel
src <LOCAL_VIRTUAL_IP>/32 dst 0.0.0.0/0
dir out priority 2947 ptype main
tmpl src 192.168.0.101 dst <REMOTE_IP>
proto esp reqid 1 mode tunnel
src <LOCAL_SUBNET> dst <LOCAL_SUBNET>
dir fwd priority 1347 ptype main
src <LOCAL_SUBNET> dst <LOCAL_SUBNET>
dir in priority 1347 ptype main
src <LOCAL_SUBNET> dst <LOCAL_SUBNET>
dir out priority 1347 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
ip addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state
DOWN group default qlen 1000
link/ether #:#:#:#:#:# brd ff:ff:ff:ff:ff:ff
3: wlan_cli: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
link/ether #:#:#:#:#:# brd ff:ff:ff:ff:ff:ff
inet 192.168.0.101/24 brd 192.168.0.255 scope global dynamic wlan_cli
valid_lft 6103sec preferred_lft 6103sec
inet 192.168.178.203/32 scope global wlan_cli
valid_lft forever preferred_lft forever
4: wlan_ap: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether #:#:#:#:#:# brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global wlan_ap
valid_lft forever preferred_lft forever
iptables-save:
# Generated by iptables-save v1.6.0 on Sat Jun 25 21:23:13 2016
*mangle
:PREROUTING ACCEPT [349421:284000115]
:INPUT ACCEPT [34643:18876322]
:FORWARD ACCEPT [313972:264962238]
:OUTPUT ACCEPT [22604:4130117]
:POSTROUTING ACCEPT [336871:269101909]
COMMIT
# Completed on Sat Jun 25 21:23:13 2016
# Generated by iptables-save v1.6.0 on Sat Jun 25 21:23:13 2016
*raw
:PREROUTING ACCEPT [349421:284000115]
:OUTPUT ACCEPT [22604:4130117]
COMMIT
# Completed on Sat Jun 25 21:23:13 2016
# Generated by iptables-save v1.6.0 on Sat Jun 25 21:23:13 2016
*filter
:INPUT ACCEPT [7759:1614766]
:FORWARD ACCEPT [152179:130984520]
:OUTPUT ACCEPT [4312:581363]
-A INPUT -d <LOCAL_VIRTUAL_IP>/32 -i wlan_cli -m policy --dir in --pol
ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -d <LOCAL_VIRTUAL_IP>/32 -i wlan_cli -m policy --dir in --pol
ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s <LOCAL_VIRTUAL_IP>/32 -o wlan_cli -m policy --dir out --pol
ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s <LOCAL_VIRTUAL_IP>/32 -o wlan_cli -m policy --dir out --pol
ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Sat Jun 25 21:23:13 2016
# Generated by iptables-save v1.6.0 on Sat Jun 25 21:23:13 2016
*nat
:PREROUTING ACCEPT [2557:349662]
:INPUT ACCEPT [850:69600]
:OUTPUT ACCEPT [853:60041]
:POSTROUTING ACCEPT [14:2385]
-A POSTROUTING -o wlan_cli -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -o wlan_cli -j MASQUERADE
COMMIT
# Completed on Sat Jun 25 21:23:13 2016
I don't see any misconfigurations so far, but I'm pretty new to policy
based routing.
Any ideas or suggestions what's wrong?
Regards,
Boris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160626/70e48e9e/attachment.html>
More information about the Users
mailing list