[strongSwan] Connect strongSwan and Squid on same server
Varun Singh
varun.singh at gslab.com
Wed Jan 18 17:47:56 CET 2017
On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
<moataz.elmasry2 at gmail.com> wrote:
> Hi,
>
> I just had a similar problem, here's how I solved it:
> - Assume strongswan is configured to hand out IPs from 10.3.0.0/16
> Then:
> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
> iptables -t nat -I PREROUTING -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
> --to-ports 3128
>
> The first rule will masquarde the traffic as usual from the private to the
> public network. You need this anyway
> The second rule will redirect the traffic ONLY from your subnet to squid.
>
>
>
>
> On 01/18/2017 05:33 PM, Varun Singh wrote:
>>
>> Hi,
>> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
>> 16.04 server and I am trying to connect both. By connect I mean, I am
>> trying to achieve following:
>>
>> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
>>
>> My objective is to connect a VPN client to VPN server and use Squid
>> for filtering out blocked Urls. strongSwan and Squid work fine on
>> their own. I can access internet when connected to VPN server and also
>> when configured HTTP Proxy without VPN.
>>
>> From what I understand, to achieve what I want, I am supposed to
>> redirect incoming HTTP traffic from port 80 to port using IPTables. I
>> enter following IPTables rule:
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>> Once I do this and try to access internet from a connected VPN client,
>> I get error. Pasting a log of /var/log/squid/access.log
>>
>>
>> 1484738365.632 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
>> 1484738365.642 0 114.143.194.190 TCP_DENIED/403 4870 GET
>>
>> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
>> - HIER_NONE/- text/html
>> 1484738365.643 0 114.143.194.190 TCP_DENIED/403 4852 GET
>> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
>> - HIER_NONE/- text/html
>> 1484738365.731 0 114.143.194.190 TCP_DENIED/403 4753 GET
>> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
>> 1484738365.760 0 114.143.194.190 TCP_DENIED/403 4817 GET
>> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
>> - HIER_NONE/- text/html
>> 1484738367.798 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> init.itunes.apple.com:443 - HIER_NONE/- text/html
>> 1484738367.922 0 114.143.194.190 TCP_DENIED/403 4334 GET
>> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
>> HIER_NONE/- text/html
>> 1484738367.963 0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
>> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
>> 1484738368.036 0 114.143.194.190 TCP_DENIED/403 4298 GET
>> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
>> text/html
>> 1484738368.148 0 114.143.194.190 TCP_DENIED/403 4352 GET
>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>> 1484738368.255 0 114.143.194.190 TCP_DENIED/403 4352 GET
>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>> 1484738368.296 0 114.143.194.190 TCP_DENIED/403 4316 GET
>> http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
>> text/html
>> 1484738368.348 0 114.143.194.190 TCP_DENIED/403 4253 GET
>> http://www.apple.com/favicon.ico - HIER_NONE/- text/html
>> 1484738376.374 0 114.143.194.190 TCP_DENIED/403 4655 GET
>> http://www.apple.com/ - HIER_NONE/- text/html
>> 1484738376.456 0 114.143.194.190 TCP_DENIED/403 4711 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484738385.761 0 114.143.194.190 TCP_DENIED/403 4655 GET
>> http://www.apple.com/ - HIER_NONE/- text/html
>> 1484738385.828 0 114.143.194.190 TCP_DENIED/403 4747 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484738858.272 0 10.99.1.1 TAG_NONE/400 4154 GET
>>
>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>> - HIER_NONE/- text/html
>> 1484738858.990 0 10.99.1.1 TAG_NONE/400 4004 GET
>> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
>> 1484738860.362 0 10.99.1.1 TAG_NONE/400 5350 GET
>>
>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>> - HIER_NONE/- text/html
>> 1484739056.258 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>> text/html
>> 1484739056.480 0 10.99.1.1 TCP_DENIED/403 4290 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484739057.106 0 10.99.1.1 TAG_NONE/400 3994 GET
>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>> 1484739057.166 0 10.99.1.1 TAG_NONE/400 3970 GET
>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>> 1484739057.211 0 10.99.1.1 TAG_NONE/400 3958 GET
>> /apple-touch-icon.png - HIER_NONE/- text/html
>> 1484739057.267 0 10.99.1.1 TAG_NONE/400 3958 GET
>> /apple-touch-icon.png - HIER_NONE/- text/html
>> 1484739057.340 0 10.99.1.1 TAG_NONE/400 3982 GET
>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>> 1484739057.436 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>> HIER_NONE/- text/html
>> 1484739060.563 0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
>> HIER_NONE/- text/html
>> 1484739071.241 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>> text/html
>> 1484739071.439 0 10.99.1.1 TCP_DENIED/403 4290 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484739092.972 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>> text/html
>> 1484739093.151 0 10.99.1.1 TCP_DENIED/403 4621 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484739093.306 0 10.99.1.1 TAG_NONE/400 3994 GET
>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>> 1484739093.364 0 10.99.1.1 TAG_NONE/400 3970 GET
>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>> 1484739093.427 0 10.99.1.1 TAG_NONE/400 3958 GET
>> /apple-touch-icon.png - HIER_NONE/- text/html
>> 1484739093.480 0 10.99.1.1 TAG_NONE/400 3958 GET
>> /apple-touch-icon.png - HIER_NONE/- text/html
>> 1484739093.529 0 10.99.1.1 TAG_NONE/400 3982 GET
>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>> 1484739093.578 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>> HIER_NONE/- text/html
>> 1484741172.545 0 123.240.104.249 TAG_NONE/400 3924 GET / -
>> HIER_NONE/- text/html
>> 1484742330.250 0 10.99.1.2 TAG_NONE/400 4444 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1484742335.479 0 10.99.1.2 TAG_NONE/400 4220
>>
>> %E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>> - HIER_NONE/- text/html
>> 1484742335.538 0 10.99.1.2 TAG_NONE/400 4234
>>
>> %BB%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>> - HIER_NONE/- text/html
>> 1484742335.605 0 10.99.1.2 TAG_NONE/400 4444 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1484742335.691 0 10.99.1.2 TAG_NONE/400 4444 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1484742339.640 0 10.99.1.2 TAG_NONE/400 4022
>> %C6%CF%91Pv%85%82l%DEbD%1F%E0 - HIER_NONE/- text/html
>> 1484742339.697 0 10.99.1.2 TAG_NONE/400 3918 GET / - HIER_NONE/-
>> text/html
>> 1484742339.885 0 10.99.1.2 TCP_DENIED/403 4556 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484742340.105 0 10.99.1.2 TAG_NONE/400 3994 GET
>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>> 1484742340.195 0 10.99.1.2 TAG_NONE/400 3970 GET
>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>> 1484742340.258 0 10.99.1.2 TAG_NONE/400 3958 GET
>> /apple-touch-icon.png - HIER_NONE/- text/html
>> 1484742340.309 0 10.99.1.2 TAG_NONE/400 3958 GET
>> /apple-touch-icon.png - HIER_NONE/- text/html
>> 1484742340.359 0 10.99.1.2 TAG_NONE/400 3982 GET
>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>> 1484742340.413 0 10.99.1.2 TAG_NONE/400 3940 GET /favicon.ico -
>> HIER_NONE/- text/html
>> 1484742378.858 0 10.99.1.2 TAG_NONE/400 4444 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1484742510.612 0 10.99.1.2 TAG_NONE/400 4444 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1484742517.730 0 10.99.1.2 TAG_NONE/400 4444 NONE
>> error:invalid-request - HIER_NONE/- text/html
>> 1484744550.653 0 10.99.1.2 TAG_NONE/400 4174 GET
>>
>> /MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFHQkFGcGn%2FXgmD9ePhproGUqVBV1BBQBWavn3ToLWaZkY9bPIAdX1ZHnagIQBHT%2BRrNCtgO6lb6fVDjflA%3D%3D
>> - HIER_NONE/- text/html
>> 1484744597.163 0 10.99.1.1 TAG_NONE/400 4022 GET
>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>> text/html
>> 1484744597.361 0 10.99.1.1 TAG_NONE/400 4034 GET
>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>> HIER_NONE/- text/html
>> 1484744599.970 0 10.99.1.1 TAG_NONE/400 5352 GET
>>
>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s62860188740305?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A19%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=2&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>> - HIER_NONE/- text/html
>> 1484744606.878 0 10.99.1.1 TAG_NONE/400 4022 GET
>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>> text/html
>> 1484744606.879 0 10.99.1.1 TAG_NONE/400 4034 GET
>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>> HIER_NONE/- text/html
>> 1484744608.852 0 10.99.1.1 TAG_NONE/400 5352 GET
>>
>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s68294376337435?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A28%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2FI
>> do this and try to access internet from a connected
>> V&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=3&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>
>> - HIER_NONE/- text/html
>> 1484744615.457 0 10.99.1.1 TAG_NONE/400 4022 GET
>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>> text/html
>> 1484744615.526 0 10.99.1.1 TAG_NONE/400 4008 GET
>> /metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/- text/html
>> 1484744615.587 0 10.99.1.1 TAG_NONE/400 4034 GET
>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>> HIER_NONE/- text/html
>> 1484744625.891 0 10.99.1.1 TAG_NONE/400 3952 GET
>> /retail/geniusbar/ - HIER_NONE/- text/html
>> 1484744626.062 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- image/png
>> 1484744643.114 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>> text/html
>> 1484744643.268 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- image/png
>> 1484746410.764 0 108.189.96.202 TAG_NONE/400 3923 GET / -
>> HIER_NONE/- text/html
>> 1484751091.543 0 153.142.43.105 TAG_NONE/400 3923 GET / -
>> HIER_NONE/- text/html
>>
>>
>> My /etc/squid/squid.conf file has only one change and that is:
>> http_access allow all
>>
>>
>>
>> Following is my /etc/ipsec.conf file:
>> config setup
>> strictcrlpolicy=no
>> uniqueids = no
>>
>> conn %default
>> mobike=yes
>> dpdaction=clear
>> dpddelay=35s
>> dpdtimeout=200s
>> fragmentation=yes
>>
>> conn iOS-IKEV2
>> auto=add
>> keyexchange=ike
>> eap_identity=%any
>> left=%any
>> leftsubnet=0.0.0.0/0
>> rightsubnet=10.99.1.0/24
>> leftauth=psk
>> leftid=%any
>> right=%any
>> rightsourceip=10.99.1.0/24
>> rightauth=eap-mschapv2
>> rightid=%any
>>
>> Following is NAT IPTables entries. I get this by entering sudo
>> iptables -t nat -L
>>
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> REDIRECT tcp -- anywhere anywhere tcp
>> dpt:http redir ports 3128
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target prot opt source destination
>> MASQUERADE all -- 10.99.1.0/24 anywhere
>>
>>
>>
>> If any of you have faced this problem before and was able to resolve
>> it, can you please help me? Thanks.
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Thanks. Did you use any other iptables rules for strongSwan? From what
I understand:
This is needed for strongSwan
iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
And this will be needed to connect strongSwan with Squid
iptables -t nat -I PREROUTING -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
is that correct?
--
Regards,
Varun
More information about the Users
mailing list