[strongSwan] Traffic in a Hub and Spoke setup not forwarded

Martin Sand dborn at gmx.net
Tue Aug 29 19:10:28 CEST 2017


Hi Noel & all

Sorry for the late reply. I was trying to find a solution on sporadic 
weekends without messing up my actual configuration.

The MASQUERADE rule did it. I wanted to share the solution with the 
list.  The most simple solution of my /etc/firewall.user looks like 
this. The last entry made it working.

---------
### IPSec VPN
iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT

iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
---------

At the end I did no change the MTU. Here is a tracepath output, seems to 
work out-of-the-box.

[user at location1 ~]$ tracepath location2
  1?: [LOCALHOST]			pmtu 1500
  1:  router-location1			3.075ms
  1:  router-location1			3.221ms
  2:  router-location1			2.881ms pmtu 1422
  2:  no reply
  3:  router-location2			47.577ms
  4:  location2				48.414ms reached
      Resume: pmtu 1422 hops 4 back 4

Best regards
Martin


On 02/25/2017 12:06 AM, Noel Kuntze wrote:
> There's the MASQUERADE rule that breaks some part of the tunnel:
>> -A zone_wan_postrouting -j MASQUERADE
> 
> This can be problematic, too. Read the article about MSS and MTU[1] and this article[2].
>> -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
> 
> You're also not accepting ESP or IKE traffic! You NEED to allow those packets.
> UDP port 500, 4500 and the protocol ESP.
> 
> Rest looks okay though, besides the problem that the openwrt firewall doesn't play nice with IPsec.
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
> This website has nothing to do with the project though!
> [2] https://strongswan.net/blog/how-to-resolve-mtu-issue-with-ipsec-tunnel/
> 
> 
> On 24.02.2017 23:59, Martin Sand wrote:
>> Sure, please find enclosed the requested files.
>>
>> Best regards/Viele GrĂ¼sse
>> Martin
>>
>>
>> On 02/24/2017 11:52 PM, Noel Kuntze wrote:
>>> Of course not. This is not a problem with the routing table.
>>> Please make sure you understand exactly what's going on before
>>> attempting to solve problems. Other technology might not
>>> be as forgiving as this.
>>>
>>> The problem is probably that your security policies don't allow
>>> the forwarding of the traffic or you have SNAT/MASQUERADE (or other)
>>> iptables rules that either change addresses so the traffic doesn't
>>> match the policies anymore or outright drop it.
>>>
>>> Please provide a paste of the output of `ipsec statusall`
>>> and `iptables-save`.
>>>
>>>
>>>
>>> On 24.02.2017 23:49, Martin Sand wrote:
>>>> Hi all
>>>>
>>>> After some time I began to investigate again.
>>>> I think the problem is that my strongSwan router is behind a modem (another router) which I cannot set to bridge modus.
>>>> The modem is NATing the traffic.
>>>>
>>>> Routing table 220 shows the problem.
>>>> The traffic is sent to the modem (192.168.0.1), connected to the internet and my strongSwan vpn router (192.168.2.1).
>>>> The modem is also the default gateway.
>>>>
>>>> root at OpenWrt:~# ip route show table 220
>>>> 192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
>>>> 192.168.3.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
>>>>
>>>> I tried to get around the problem by setting the via route to the external IP of my modem (134.100.110.120).
>>>> But this does not work:
>>>>
>>>> root at OpenWrt:~# ip r c table 220 192.168.1.0/24 via 134.100.110.120 dev eth0 proto static src 192.168.2.1
>>>> RTNETLINK answers: Network is unreachable
>>>>
>>>> Any ideas on how to solve the issue?
>>>>
>>>> Best regards
>>>> Martin
>>>>
>>>> On 11/08/2016 08:46 PM, Martin Sand wrote:
>>>>> Hi all
>>>>>
>>>>> I have a Hub and Spoke setup:
>>>>> * Central server 192.168.0.1
>>>>> * Router 1: 192.168.1.1
>>>>> * Router 2: 192.168.2.1
>>>>>
>>>>> I cannot reach the computers on the other side of the network although tunnel is established.
>>>>> Do I miss an iptable or route information?
>>>>>
>>>>> Output from 192.168.1.100 when trying to reach a computer on the other network (192.168.2.100):
>>>>> [user at workstation ~]$ tracepath 192.168.2.100
>>>>>   1?: [LOCALHOST]                                         pmtu 1500
>>>>>   1:  router-1                                     0.475ms
>>>>>   1:  router-1                                     0.445ms
>>>>>   2:  no reply
>>>>>
>>>>> Output of route on Router 1 (192.168.1.1):
>>>>> 192.168.2.0/24 via 80.10.10.1 dev eth0  proto static  src 192.168.1.1
>>>>>
>>>>> Output of route on Router 2 (192.168.2.1):
>>>>> 192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
>>>>>
>>>>> Any ideas on what is going wrong? Maybe because one router shows the external IP of the Hub instead of the internal one?
>>>>>
>>>>> Best regards
>>>>> Martin
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>
>>
>> ipsec_statusall.txt
>>
>>
>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
>>    uptime: 24 minutes, since Feb 24 23:30:27 2017
>>    malloc: sbrk 151552, mmap 0, used 139840, free 11712
>>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
>>    loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
>> Listening IP addresses:
>>    192.168.0.31
>>    192.168.2.1
>> Connections:
>>      vpn-mann:  %any...vpn.example.de  IKEv2, dpddelay=30s
>>      vpn-mann:   local:  [C=DE, O=StrongSwan, CN=mann] uses public key authentication
>>      vpn-mann:    cert:  "C=DE, O=StrongSwan, CN=mann"
>>      vpn-mann:   remote: [vpn.example.de] uses public key authentication
>>      vpn-mann:    cert:  "C=DE, O=StrongSwan, CN=vpn.example.de"
>>      vpn-mann:   child:  192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 PASS, dpdaction=restart
>> Security Associations (1 up, 0 connecting):
>>      vpn-mann[1]: ESTABLISHED 23 minutes ago, 192.168.0.31[C=DE, O=StrongSwan, CN=mann]...200.200.8.224[vpn.example.de]
>>      vpn-mann[1]: IKEv2 SPIs: a2b57fe98a312245_i* 484d1d053cc36aaa_r, public key reauthentication in 28 minutes
>>      vpn-mann[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>      vpn-mann{4}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5f28034_i c535472d_o
>>      vpn-mann{4}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 5 minutes
>>      vpn-mann{4}:   192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24
>>      vpn-mann{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cca10f29_i cd435e9e_o
>>      vpn-mann{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
>>      vpn-mann{5}:   192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24
>>
>>
>> iptables_save.txt
>>
>>
>> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
>> *nat
>> :PREROUTING ACCEPT [94139:25693304]
>> :INPUT ACCEPT [23929:1678867]
>> :OUTPUT ACCEPT [24490:1838326]
>> :POSTROUTING ACCEPT [529:103136]
>> :delegate_postrouting - [0:0]
>> :delegate_prerouting - [0:0]
>> :postrouting_lan_rule - [0:0]
>> :postrouting_rule - [0:0]
>> :postrouting_wan_rule - [0:0]
>> :prerouting_lan_rule - [0:0]
>> :prerouting_rule - [0:0]
>> :prerouting_wan_rule - [0:0]
>> :zone_lan_postrouting - [0:0]
>> :zone_lan_prerouting - [0:0]
>> :zone_wan_postrouting - [0:0]
>> :zone_wan_prerouting - [0:0]
>> -A PREROUTING -j delegate_prerouting
>> -A POSTROUTING -j delegate_postrouting
>> -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
>> -A delegate_postrouting -o br-lan -j zone_lan_postrouting
>> -A delegate_postrouting -o eth0 -j zone_wan_postrouting
>> -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
>> -A delegate_prerouting -i br-lan -j zone_lan_prerouting
>> -A delegate_prerouting -i eth0 -j zone_wan_prerouting
>> -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
>> -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
>> -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
>> -A zone_wan_postrouting -j MASQUERADE
>> -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
>> COMMIT
>> # Completed on Fri Feb 24 23:54:03 2017
>> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
>> *raw
>> :PREROUTING ACCEPT [30562873:27538250738]
>> :OUTPUT ACCEPT [92351:9943384]
>> :delegate_notrack - [0:0]
>> -A PREROUTING -j delegate_notrack
>> COMMIT
>> # Completed on Fri Feb 24 23:54:03 2017
>> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
>> *mangle
>> :PREROUTING ACCEPT [30562873:27538250738]
>> :INPUT ACCEPT [86788:8751557]
>> :FORWARD ACCEPT [30431248:27507406630]
>> :OUTPUT ACCEPT [92351:9943384]
>> :POSTROUTING ACCEPT [30523601:27517350687]
>> :fwmark - [0:0]
>> :mssfix - [0:0]
>> -A PREROUTING -j fwmark
>> -A FORWARD -j mssfix
>> -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
>> COMMIT
>> # Completed on Fri Feb 24 23:54:03 2017
>> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :delegate_forward - [0:0]
>> :delegate_input - [0:0]
>> :delegate_output - [0:0]
>> :forwarding_lan_rule - [0:0]
>> :forwarding_rule - [0:0]
>> :forwarding_wan_rule - [0:0]
>> :input_lan_rule - [0:0]
>> :input_rule - [0:0]
>> :input_wan_rule - [0:0]
>> :output_lan_rule - [0:0]
>> :output_rule - [0:0]
>> :output_wan_rule - [0:0]
>> :reject - [0:0]
>> :syn_flood - [0:0]
>> :zone_lan_dest_ACCEPT - [0:0]
>> :zone_lan_forward - [0:0]
>> :zone_lan_input - [0:0]
>> :zone_lan_output - [0:0]
>> :zone_lan_src_ACCEPT - [0:0]
>> :zone_wan_dest_ACCEPT - [0:0]
>> :zone_wan_dest_REJECT - [0:0]
>> :zone_wan_forward - [0:0]
>> :zone_wan_input - [0:0]
>> :zone_wan_output - [0:0]
>> :zone_wan_src_REJECT - [0:0]
>> -A INPUT -j delegate_input
>> -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -j delegate_forward
>> -A OUTPUT -j delegate_output
>> -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
>> -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A delegate_forward -i br-lan -j zone_lan_forward
>> -A delegate_forward -i eth0 -j zone_wan_forward
>> -A delegate_forward -j reject
>> -A delegate_input -i lo -j ACCEPT
>> -A delegate_input -m comment --comment "user chain for input" -j input_rule
>> -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
>> -A delegate_input -i br-lan -j zone_lan_input
>> -A delegate_input -i eth0 -j zone_wan_input
>> -A delegate_output -o lo -j ACCEPT
>> -A delegate_output -m comment --comment "user chain for output" -j output_rule
>> -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A delegate_output -o br-lan -j zone_lan_output
>> -A delegate_output -o eth0 -j zone_wan_output
>> -A reject -p tcp -j REJECT --reject-with tcp-reset
>> -A reject -j REJECT --reject-with icmp-port-unreachable
>> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
>> -A syn_flood -j DROP
>> -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
>> -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
>> -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
>> -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
>> -A zone_lan_forward -j zone_lan_dest_ACCEPT
>> -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
>> -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
>> -A zone_lan_input -j zone_lan_src_ACCEPT
>> -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
>> -A zone_lan_output -j zone_lan_dest_ACCEPT
>> -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
>> -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
>> -A zone_wan_dest_REJECT -o eth0 -j reject
>> -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
>> -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
>> -A zone_wan_forward -j zone_wan_dest_REJECT
>> -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
>> -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
>> -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
>> -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
>> -A zone_wan_input -j zone_wan_src_REJECT
>> -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
>> -A zone_wan_output -j zone_wan_dest_ACCEPT
>> -A zone_wan_src_REJECT -i eth0 -j reject
>> COMMIT
>> # Completed on Fri Feb 24 23:54:03 2017
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> 


More information about the Users mailing list