[strongSwan] Connect strongSwan and Squid on same server
Moataz Elmasry
moataz.elmasry2 at gmail.com
Wed Jan 18 17:41:17 CET 2017
Hi,
I just had a similar problem, here's how I solved it:
- Assume strongswan is configured to hand out IPs from 10.3.0.0/16
Then:
iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
iptables -t nat -I PREROUTING -s 10.3.0.0/16 -p tcp --dport 80 -j
REDIRECT --to-ports 3128
The first rule will masquarde the traffic as usual from the private to
the public network. You need this anyway
The second rule will redirect the traffic ONLY from your subnet to squid.
On 01/18/2017 05:33 PM, Varun Singh wrote:
> Hi,
> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
> 16.04 server and I am trying to connect both. By connect I mean, I am
> trying to achieve following:
>
> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
>
> My objective is to connect a VPN client to VPN server and use Squid
> for filtering out blocked Urls. strongSwan and Squid work fine on
> their own. I can access internet when connected to VPN server and also
> when configured HTTP Proxy without VPN.
>
> From what I understand, to achieve what I want, I am supposed to
> redirect incoming HTTP traffic from port 80 to port using IPTables. I
> enter following IPTables rule:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> Once I do this and try to access internet from a connected VPN client,
> I get error. Pasting a log of /var/log/squid/access.log
>
>
> 1484738365.632 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
> 1484738365.642 0 114.143.194.190 TCP_DENIED/403 4870 GET
> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
> - HIER_NONE/- text/html
> 1484738365.643 0 114.143.194.190 TCP_DENIED/403 4852 GET
> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
> - HIER_NONE/- text/html
> 1484738365.731 0 114.143.194.190 TCP_DENIED/403 4753 GET
> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
> 1484738365.760 0 114.143.194.190 TCP_DENIED/403 4817 GET
> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
> - HIER_NONE/- text/html
> 1484738367.798 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
> init.itunes.apple.com:443 - HIER_NONE/- text/html
> 1484738367.922 0 114.143.194.190 TCP_DENIED/403 4334 GET
> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
> HIER_NONE/- text/html
> 1484738367.963 0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
> 1484738368.036 0 114.143.194.190 TCP_DENIED/403 4298 GET
> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
> text/html
> 1484738368.148 0 114.143.194.190 TCP_DENIED/403 4352 GET
> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
> 1484738368.255 0 114.143.194.190 TCP_DENIED/403 4352 GET
> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
> 1484738368.296 0 114.143.194.190 TCP_DENIED/403 4316 GET
> http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
> text/html
> 1484738368.348 0 114.143.194.190 TCP_DENIED/403 4253 GET
> http://www.apple.com/favicon.ico - HIER_NONE/- text/html
> 1484738376.374 0 114.143.194.190 TCP_DENIED/403 4655 GET
> http://www.apple.com/ - HIER_NONE/- text/html
> 1484738376.456 0 114.143.194.190 TCP_DENIED/403 4711 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484738385.761 0 114.143.194.190 TCP_DENIED/403 4655 GET
> http://www.apple.com/ - HIER_NONE/- text/html
> 1484738385.828 0 114.143.194.190 TCP_DENIED/403 4747 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484738858.272 0 10.99.1.1 TAG_NONE/400 4154 GET
> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
> - HIER_NONE/- text/html
> 1484738858.990 0 10.99.1.1 TAG_NONE/400 4004 GET
> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
> 1484738860.362 0 10.99.1.1 TAG_NONE/400 5350 GET
> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
> - HIER_NONE/- text/html
> 1484739056.258 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
> 1484739056.480 0 10.99.1.1 TCP_DENIED/403 4290 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484739057.106 0 10.99.1.1 TAG_NONE/400 3994 GET
> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
> 1484739057.166 0 10.99.1.1 TAG_NONE/400 3970 GET
> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
> 1484739057.211 0 10.99.1.1 TAG_NONE/400 3958 GET
> /apple-touch-icon.png - HIER_NONE/- text/html
> 1484739057.267 0 10.99.1.1 TAG_NONE/400 3958 GET
> /apple-touch-icon.png - HIER_NONE/- text/html
> 1484739057.340 0 10.99.1.1 TAG_NONE/400 3982 GET
> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
> 1484739057.436 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
> HIER_NONE/- text/html
> 1484739060.563 0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
> HIER_NONE/- text/html
> 1484739071.241 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
> 1484739071.439 0 10.99.1.1 TCP_DENIED/403 4290 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484739092.972 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
> 1484739093.151 0 10.99.1.1 TCP_DENIED/403 4621 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484739093.306 0 10.99.1.1 TAG_NONE/400 3994 GET
> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
> 1484739093.364 0 10.99.1.1 TAG_NONE/400 3970 GET
> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
> 1484739093.427 0 10.99.1.1 TAG_NONE/400 3958 GET
> /apple-touch-icon.png - HIER_NONE/- text/html
> 1484739093.480 0 10.99.1.1 TAG_NONE/400 3958 GET
> /apple-touch-icon.png - HIER_NONE/- text/html
> 1484739093.529 0 10.99.1.1 TAG_NONE/400 3982 GET
> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
> 1484739093.578 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
> HIER_NONE/- text/html
> 1484741172.545 0 123.240.104.249 TAG_NONE/400 3924 GET / -
> HIER_NONE/- text/html
> 1484742330.250 0 10.99.1.2 TAG_NONE/400 4444 NONE
> error:invalid-request - HIER_NONE/- text/html
> 1484742335.479 0 10.99.1.2 TAG_NONE/400 4220
> %E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
> - HIER_NONE/- text/html
> 1484742335.538 0 10.99.1.2 TAG_NONE/400 4234
> %BB%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
> - HIER_NONE/- text/html
> 1484742335.605 0 10.99.1.2 TAG_NONE/400 4444 NONE
> error:invalid-request - HIER_NONE/- text/html
> 1484742335.691 0 10.99.1.2 TAG_NONE/400 4444 NONE
> error:invalid-request - HIER_NONE/- text/html
> 1484742339.640 0 10.99.1.2 TAG_NONE/400 4022
> %C6%CF%91Pv%85%82l%DEbD%1F%E0 - HIER_NONE/- text/html
> 1484742339.697 0 10.99.1.2 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
> 1484742339.885 0 10.99.1.2 TCP_DENIED/403 4556 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484742340.105 0 10.99.1.2 TAG_NONE/400 3994 GET
> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
> 1484742340.195 0 10.99.1.2 TAG_NONE/400 3970 GET
> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
> 1484742340.258 0 10.99.1.2 TAG_NONE/400 3958 GET
> /apple-touch-icon.png - HIER_NONE/- text/html
> 1484742340.309 0 10.99.1.2 TAG_NONE/400 3958 GET
> /apple-touch-icon.png - HIER_NONE/- text/html
> 1484742340.359 0 10.99.1.2 TAG_NONE/400 3982 GET
> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
> 1484742340.413 0 10.99.1.2 TAG_NONE/400 3940 GET /favicon.ico -
> HIER_NONE/- text/html
> 1484742378.858 0 10.99.1.2 TAG_NONE/400 4444 NONE
> error:invalid-request - HIER_NONE/- text/html
> 1484742510.612 0 10.99.1.2 TAG_NONE/400 4444 NONE
> error:invalid-request - HIER_NONE/- text/html
> 1484742517.730 0 10.99.1.2 TAG_NONE/400 4444 NONE
> error:invalid-request - HIER_NONE/- text/html
> 1484744550.653 0 10.99.1.2 TAG_NONE/400 4174 GET
> /MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFHQkFGcGn%2FXgmD9ePhproGUqVBV1BBQBWavn3ToLWaZkY9bPIAdX1ZHnagIQBHT%2BRrNCtgO6lb6fVDjflA%3D%3D
> - HIER_NONE/- text/html
> 1484744597.163 0 10.99.1.1 TAG_NONE/400 4022 GET
> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
> text/html
> 1484744597.361 0 10.99.1.1 TAG_NONE/400 4034 GET
> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
> HIER_NONE/- text/html
> 1484744599.970 0 10.99.1.1 TAG_NONE/400 5352 GET
> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s62860188740305?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A19%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=2&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
> - HIER_NONE/- text/html
> 1484744606.878 0 10.99.1.1 TAG_NONE/400 4022 GET
> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
> text/html
> 1484744606.879 0 10.99.1.1 TAG_NONE/400 4034 GET
> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
> HIER_NONE/- text/html
> 1484744608.852 0 10.99.1.1 TAG_NONE/400 5352 GET
> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s68294376337435?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A28%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2FI do this and try to access internet from a connected V&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=3&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
> - HIER_NONE/- text/html
> 1484744615.457 0 10.99.1.1 TAG_NONE/400 4022 GET
> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
> text/html
> 1484744615.526 0 10.99.1.1 TAG_NONE/400 4008 GET
> /metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/- text/html
> 1484744615.587 0 10.99.1.1 TAG_NONE/400 4034 GET
> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
> HIER_NONE/- text/html
> 1484744625.891 0 10.99.1.1 TAG_NONE/400 3952 GET
> /retail/geniusbar/ - HIER_NONE/- text/html
> 1484744626.062 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- image/png
> 1484744643.114 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
> 1484744643.268 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- image/png
> 1484746410.764 0 108.189.96.202 TAG_NONE/400 3923 GET / -
> HIER_NONE/- text/html
> 1484751091.543 0 153.142.43.105 TAG_NONE/400 3923 GET / -
> HIER_NONE/- text/html
>
>
> My /etc/squid/squid.conf file has only one change and that is:
> http_access allow all
>
>
>
> Following is my /etc/ipsec.conf file:
> config setup
> strictcrlpolicy=no
> uniqueids = no
>
> conn %default
> mobike=yes
> dpdaction=clear
> dpddelay=35s
> dpdtimeout=200s
> fragmentation=yes
>
> conn iOS-IKEV2
> auto=add
> keyexchange=ike
> eap_identity=%any
> left=%any
> leftsubnet=0.0.0.0/0
> rightsubnet=10.99.1.0/24
> leftauth=psk
> leftid=%any
> right=%any
> rightsourceip=10.99.1.0/24
> rightauth=eap-mschapv2
> rightid=%any
>
> Following is NAT IPTables entries. I get this by entering sudo
> iptables -t nat -L
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- anywhere anywhere tcp
> dpt:http redir ports 3128
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 10.99.1.0/24 anywhere
>
>
>
> If any of you have faced this problem before and was able to resolve
> it, can you please help me? Thanks.
>
More information about the Users
mailing list