[strongSwan] Traffic in a Hub and Spoke setup not forwarded

Noel Kuntze noel at familie-kuntze.de
Sat Feb 25 00:01:25 CET 2017


Err, where's the hub and the spoke?
There are just two duplicate CHILD_SAs for a single IKE_SA.

On 24.02.2017 23:59, Martin Sand wrote:
> Sure, please find enclosed the requested files.
> 
> Best regards/Viele Grüsse
> Martin
> 
> 
> On 02/24/2017 11:52 PM, Noel Kuntze wrote:
>> Of course not. This is not a problem with the routing table.
>> Please make sure you understand exactly what's going on before
>> attempting to solve problems. Other technology might not
>> be as forgiving as this.
>>
>> The problem is probably that your security policies don't allow
>> the forwarding of the traffic or you have SNAT/MASQUERADE (or other)
>> iptables rules that either change addresses so the traffic doesn't
>> match the policies anymore or outright drop it.
>>
>> Please provide a paste of the output of `ipsec statusall`
>> and `iptables-save`.
>>
>>
>>
>> On 24.02.2017 23:49, Martin Sand wrote:
>>> Hi all
>>>
>>> After some time I began to investigate again.
>>> I think the problem is that my strongSwan router is behind a modem (another router) which I cannot set to bridge modus.
>>> The modem is NATing the traffic.
>>>
>>> Routing table 220 shows the problem.
>>> The traffic is sent to the modem (192.168.0.1), connected to the internet and my strongSwan vpn router (192.168.2.1).
>>> The modem is also the default gateway.
>>>
>>> root at OpenWrt:~# ip route show table 220
>>> 192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
>>> 192.168.3.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1 
>>>
>>> I tried to get around the problem by setting the via route to the external IP of my modem (134.100.110.120).
>>> But this does not work:
>>>
>>> root at OpenWrt:~# ip r c table 220 192.168.1.0/24 via 134.100.110.120 dev eth0 proto static src 192.168.2.1
>>> RTNETLINK answers: Network is unreachable
>>>
>>> Any ideas on how to solve the issue?
>>>
>>> Best regards
>>> Martin
>>>
>>> On 11/08/2016 08:46 PM, Martin Sand wrote:
>>>> Hi all
>>>>
>>>> I have a Hub and Spoke setup:
>>>> * Central server 192.168.0.1
>>>> * Router 1: 192.168.1.1
>>>> * Router 2: 192.168.2.1
>>>>
>>>> I cannot reach the computers on the other side of the network although tunnel is established.
>>>> Do I miss an iptable or route information?
>>>>
>>>> Output from 192.168.1.100 when trying to reach a computer on the other network (192.168.2.100):
>>>> [user at workstation ~]$ tracepath 192.168.2.100
>>>>  1?: [LOCALHOST]                                         pmtu 1500
>>>>  1:  router-1                                     0.475ms
>>>>  1:  router-1                                     0.445ms
>>>>  2:  no reply
>>>>
>>>> Output of route on Router 1 (192.168.1.1):
>>>> 192.168.2.0/24 via 80.10.10.1 dev eth0  proto static  src 192.168.1.1
>>>>
>>>> Output of route on Router 2 (192.168.2.1):
>>>> 192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
>>>>
>>>> Any ideas on what is going wrong? Maybe because one router shows the external IP of the Hub instead of the internal one?
>>>>
>>>> Best regards
>>>> Martin
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
> 
> 
> ipsec_statusall.txt
> 
> 
> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
>   uptime: 24 minutes, since Feb 24 23:30:27 2017
>   malloc: sbrk 151552, mmap 0, used 139840, free 11712
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
> Listening IP addresses:
>   192.168.0.31
>   192.168.2.1
> Connections:
>     vpn-mann:  %any...vpn.example.de  IKEv2, dpddelay=30s
>     vpn-mann:   local:  [C=DE, O=StrongSwan, CN=mann] uses public key authentication
>     vpn-mann:    cert:  "C=DE, O=StrongSwan, CN=mann"
>     vpn-mann:   remote: [vpn.example.de] uses public key authentication
>     vpn-mann:    cert:  "C=DE, O=StrongSwan, CN=vpn.example.de"
>     vpn-mann:   child:  192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 PASS, dpdaction=restart
> Security Associations (1 up, 0 connecting):
>     vpn-mann[1]: ESTABLISHED 23 minutes ago, 192.168.0.31[C=DE, O=StrongSwan, CN=mann]...200.200.8.224[vpn.example.de]
>     vpn-mann[1]: IKEv2 SPIs: a2b57fe98a312245_i* 484d1d053cc36aaa_r, public key reauthentication in 28 minutes
>     vpn-mann[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>     vpn-mann{4}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5f28034_i c535472d_o
>     vpn-mann{4}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 5 minutes
>     vpn-mann{4}:   192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 
>     vpn-mann{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cca10f29_i cd435e9e_o
>     vpn-mann{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
>     vpn-mann{5}:   192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 
> 
> 
> iptables_save.txt
> 
> 
> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> *nat
> :PREROUTING ACCEPT [94139:25693304]
> :INPUT ACCEPT [23929:1678867]
> :OUTPUT ACCEPT [24490:1838326]
> :POSTROUTING ACCEPT [529:103136]
> :delegate_postrouting - [0:0]
> :delegate_prerouting - [0:0]
> :postrouting_lan_rule - [0:0]
> :postrouting_rule - [0:0]
> :postrouting_wan_rule - [0:0]
> :prerouting_lan_rule - [0:0]
> :prerouting_rule - [0:0]
> :prerouting_wan_rule - [0:0]
> :zone_lan_postrouting - [0:0]
> :zone_lan_prerouting - [0:0]
> :zone_wan_postrouting - [0:0]
> :zone_wan_prerouting - [0:0]
> -A PREROUTING -j delegate_prerouting
> -A POSTROUTING -j delegate_postrouting
> -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
> -A delegate_postrouting -o br-lan -j zone_lan_postrouting
> -A delegate_postrouting -o eth0 -j zone_wan_postrouting
> -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
> -A delegate_prerouting -i br-lan -j zone_lan_prerouting
> -A delegate_prerouting -i eth0 -j zone_wan_prerouting
> -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
> -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
> -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
> -A zone_wan_postrouting -j MASQUERADE
> -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
> COMMIT
> # Completed on Fri Feb 24 23:54:03 2017
> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> *raw
> :PREROUTING ACCEPT [30562873:27538250738]
> :OUTPUT ACCEPT [92351:9943384]
> :delegate_notrack - [0:0]
> -A PREROUTING -j delegate_notrack
> COMMIT
> # Completed on Fri Feb 24 23:54:03 2017
> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> *mangle
> :PREROUTING ACCEPT [30562873:27538250738]
> :INPUT ACCEPT [86788:8751557]
> :FORWARD ACCEPT [30431248:27507406630]
> :OUTPUT ACCEPT [92351:9943384]
> :POSTROUTING ACCEPT [30523601:27517350687]
> :fwmark - [0:0]
> :mssfix - [0:0]
> -A PREROUTING -j fwmark
> -A FORWARD -j mssfix
> -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Fri Feb 24 23:54:03 2017
> # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :delegate_forward - [0:0]
> :delegate_input - [0:0]
> :delegate_output - [0:0]
> :forwarding_lan_rule - [0:0]
> :forwarding_rule - [0:0]
> :forwarding_wan_rule - [0:0]
> :input_lan_rule - [0:0]
> :input_rule - [0:0]
> :input_wan_rule - [0:0]
> :output_lan_rule - [0:0]
> :output_rule - [0:0]
> :output_wan_rule - [0:0]
> :reject - [0:0]
> :syn_flood - [0:0]
> :zone_lan_dest_ACCEPT - [0:0]
> :zone_lan_forward - [0:0]
> :zone_lan_input - [0:0]
> :zone_lan_output - [0:0]
> :zone_lan_src_ACCEPT - [0:0]
> :zone_wan_dest_ACCEPT - [0:0]
> :zone_wan_dest_REJECT - [0:0]
> :zone_wan_forward - [0:0]
> :zone_wan_input - [0:0]
> :zone_wan_output - [0:0]
> :zone_wan_src_REJECT - [0:0]
> -A INPUT -j delegate_input
> -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -j delegate_forward
> -A OUTPUT -j delegate_output
> -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
> -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_forward -i br-lan -j zone_lan_forward
> -A delegate_forward -i eth0 -j zone_wan_forward
> -A delegate_forward -j reject
> -A delegate_input -i lo -j ACCEPT
> -A delegate_input -m comment --comment "user chain for input" -j input_rule
> -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
> -A delegate_input -i br-lan -j zone_lan_input
> -A delegate_input -i eth0 -j zone_wan_input
> -A delegate_output -o lo -j ACCEPT
> -A delegate_output -m comment --comment "user chain for output" -j output_rule
> -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A delegate_output -o br-lan -j zone_lan_output
> -A delegate_output -o eth0 -j zone_wan_output
> -A reject -p tcp -j REJECT --reject-with tcp-reset
> -A reject -j REJECT --reject-with icmp-port-unreachable
> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
> -A syn_flood -j DROP
> -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
> -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
> -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
> -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
> -A zone_lan_forward -j zone_lan_dest_ACCEPT
> -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
> -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
> -A zone_lan_input -j zone_lan_src_ACCEPT
> -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
> -A zone_lan_output -j zone_lan_dest_ACCEPT
> -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
> -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
> -A zone_wan_dest_REJECT -o eth0 -j reject
> -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
> -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
> -A zone_wan_forward -j zone_wan_dest_REJECT
> -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
> -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
> -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
> -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
> -A zone_wan_input -j zone_wan_src_REJECT
> -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
> -A zone_wan_output -j zone_wan_dest_ACCEPT
> -A zone_wan_src_REJECT -i eth0 -j reject
> COMMIT
> # Completed on Fri Feb 24 23:54:03 2017
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170225/38cdac50/attachment-0001.sig>


More information about the Users mailing list