[strongSwan] Connect strongSwan and Squid on same server

Moataz Elmasry moataz.elmasry2 at gmail.com
Wed Jan 18 17:58:40 CET 2017


Correct. No additional rules should be needed

On 01/18/2017 05:47 PM, Varun Singh wrote:
> On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
> <moataz.elmasry2 at gmail.com> wrote:
>> Hi,
>>
>> I just had a similar problem, here's how I solved it:
>> - Assume strongswan is configured to hand out IPs from 10.3.0.0/16
>> Then:
>> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
>> iptables -t nat -I PREROUTING  -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
>> --to-ports 3128
>>
>> The first rule will masquarde the traffic as usual from the private to the
>> public network. You need this anyway
>> The second rule will redirect the traffic ONLY from your subnet to squid.
>>
>>
>>
>>
>> On 01/18/2017 05:33 PM, Varun Singh wrote:
>>> Hi,
>>> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
>>> 16.04 server and I am trying to connect both. By connect I mean, I am
>>> trying to achieve following:
>>>
>>> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
>>>
>>> My objective is to connect a VPN client to VPN server and use Squid
>>> for filtering out blocked Urls. strongSwan and Squid work fine on
>>> their own. I can access internet when connected to VPN server and also
>>> when configured HTTP Proxy without VPN.
>>>
>>>   From what I understand, to achieve what I want, I am supposed to
>>> redirect incoming HTTP traffic from port 80 to port using IPTables. I
>>> enter following IPTables rule:
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>>
>>> Once I do this and try to access internet from a connected VPN client,
>>> I get error. Pasting a log of /var/log/squid/access.log
>>>
>>>
>>> 1484738365.632      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>>> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
>>> 1484738365.642      0 114.143.194.190 TCP_DENIED/403 4870 GET
>>>
>>> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
>>> - HIER_NONE/- text/html
>>> 1484738365.643      0 114.143.194.190 TCP_DENIED/403 4852 GET
>>> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
>>> - HIER_NONE/- text/html
>>> 1484738365.731      0 114.143.194.190 TCP_DENIED/403 4753 GET
>>> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
>>> 1484738365.760      0 114.143.194.190 TCP_DENIED/403 4817 GET
>>> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
>>> - HIER_NONE/- text/html
>>> 1484738367.798      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>>> init.itunes.apple.com:443 - HIER_NONE/- text/html
>>> 1484738367.922      0 114.143.194.190 TCP_DENIED/403 4334 GET
>>> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
>>> HIER_NONE/- text/html
>>> 1484738367.963      0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
>>> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
>>> 1484738368.036      0 114.143.194.190 TCP_DENIED/403 4298 GET
>>> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
>>> text/html
>>> 1484738368.148      0 114.143.194.190 TCP_DENIED/403 4352 GET
>>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484738368.255      0 114.143.194.190 TCP_DENIED/403 4352 GET
>>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484738368.296      0 114.143.194.190 TCP_DENIED/403 4316 GET
>>> http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
>>> text/html
>>> 1484738368.348      0 114.143.194.190 TCP_DENIED/403 4253 GET
>>> http://www.apple.com/favicon.ico - HIER_NONE/- text/html
>>> 1484738376.374      0 114.143.194.190 TCP_DENIED/403 4655 GET
>>> http://www.apple.com/ - HIER_NONE/- text/html
>>> 1484738376.456      0 114.143.194.190 TCP_DENIED/403 4711 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484738385.761      0 114.143.194.190 TCP_DENIED/403 4655 GET
>>> http://www.apple.com/ - HIER_NONE/- text/html
>>> 1484738385.828      0 114.143.194.190 TCP_DENIED/403 4747 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484738858.272      0 10.99.1.1 TAG_NONE/400 4154 GET
>>>
>>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>>> - HIER_NONE/- text/html
>>> 1484738858.990      0 10.99.1.1 TAG_NONE/400 4004 GET
>>> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
>>> 1484738860.362      0 10.99.1.1 TAG_NONE/400 5350 GET
>>>
>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>> - HIER_NONE/- text/html
>>> 1484739056.258      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484739056.480      0 10.99.1.1 TCP_DENIED/403 4290 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484739057.106      0 10.99.1.1 TAG_NONE/400 3994 GET
>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>> 1484739057.166      0 10.99.1.1 TAG_NONE/400 3970 GET
>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>> 1484739057.211      0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739057.267      0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739057.340      0 10.99.1.1 TAG_NONE/400 3982 GET
>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>> 1484739057.436      0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>>> HIER_NONE/- text/html
>>> 1484739060.563      0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
>>> HIER_NONE/- text/html
>>> 1484739071.241      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484739071.439      0 10.99.1.1 TCP_DENIED/403 4290 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484739092.972      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484739093.151      0 10.99.1.1 TCP_DENIED/403 4621 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484739093.306      0 10.99.1.1 TAG_NONE/400 3994 GET
>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>> 1484739093.364      0 10.99.1.1 TAG_NONE/400 3970 GET
>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>> 1484739093.427      0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739093.480      0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739093.529      0 10.99.1.1 TAG_NONE/400 3982 GET
>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>> 1484739093.578      0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>>> HIER_NONE/- text/html
>>> 1484741172.545      0 123.240.104.249 TAG_NONE/400 3924 GET / -
>>> HIER_NONE/- text/html
>>> 1484742330.250      0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742335.479      0 10.99.1.2 TAG_NONE/400 4220
>>>
>>> %E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>>> - HIER_NONE/- text/html
>>> 1484742335.538      0 10.99.1.2 TAG_NONE/400 4234
>>>
>>> %BB%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>>> - HIER_NONE/- text/html
>>> 1484742335.605      0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742335.691      0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742339.640      0 10.99.1.2 TAG_NONE/400 4022
>>> %C6%CF%91Pv%85%82l%DEbD%1F%E0 - HIER_NONE/- text/html
>>> 1484742339.697      0 10.99.1.2 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484742339.885      0 10.99.1.2 TCP_DENIED/403 4556 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484742340.105      0 10.99.1.2 TAG_NONE/400 3994 GET
>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>> 1484742340.195      0 10.99.1.2 TAG_NONE/400 3970 GET
>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>> 1484742340.258      0 10.99.1.2 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484742340.309      0 10.99.1.2 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484742340.359      0 10.99.1.2 TAG_NONE/400 3982 GET
>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>> 1484742340.413      0 10.99.1.2 TAG_NONE/400 3940 GET /favicon.ico -
>>> HIER_NONE/- text/html
>>> 1484742378.858      0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742510.612      0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742517.730      0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484744550.653      0 10.99.1.2 TAG_NONE/400 4174 GET
>>>
>>> /MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFHQkFGcGn%2FXgmD9ePhproGUqVBV1BBQBWavn3ToLWaZkY9bPIAdX1ZHnagIQBHT%2BRrNCtgO6lb6fVDjflA%3D%3D
>>> - HIER_NONE/- text/html
>>> 1484744597.163      0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>> text/html
>>> 1484744597.361      0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>> HIER_NONE/- text/html
>>> 1484744599.970      0 10.99.1.1 TAG_NONE/400 5352 GET
>>>
>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s62860188740305?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A19%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=2&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>> - HIER_NONE/- text/html
>>> 1484744606.878      0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>> text/html
>>> 1484744606.879      0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>> HIER_NONE/- text/html
>>> 1484744608.852      0 10.99.1.1 TAG_NONE/400 5352 GET
>>>
>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s68294376337435?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A28%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2FI
>>> do this and try to access internet from a connected
>>> V&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=3&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>>
>>> - HIER_NONE/- text/html
>>> 1484744615.457      0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>> text/html
>>> 1484744615.526      0 10.99.1.1 TAG_NONE/400 4008 GET
>>> /metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/- text/html
>>> 1484744615.587      0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>> HIER_NONE/- text/html
>>> 1484744625.891      0 10.99.1.1 TAG_NONE/400 3952 GET
>>> /retail/geniusbar/ - HIER_NONE/- text/html
>>> 1484744626.062      0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- image/png
>>> 1484744643.114      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484744643.268      0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- image/png
>>> 1484746410.764      0 108.189.96.202 TAG_NONE/400 3923 GET / -
>>> HIER_NONE/- text/html
>>> 1484751091.543      0 153.142.43.105 TAG_NONE/400 3923 GET / -
>>> HIER_NONE/- text/html
>>>
>>>
>>> My /etc/squid/squid.conf file has only one change and that is:
>>> http_access allow all
>>>
>>>
>>>
>>> Following is my /etc/ipsec.conf file:
>>> config setup
>>>    strictcrlpolicy=no
>>>    uniqueids = no
>>>
>>> conn %default
>>>    mobike=yes
>>>    dpdaction=clear
>>>    dpddelay=35s
>>>    dpdtimeout=200s
>>>    fragmentation=yes
>>>
>>> conn iOS-IKEV2
>>>    auto=add
>>>    keyexchange=ike
>>>    eap_identity=%any
>>>    left=%any
>>>    leftsubnet=0.0.0.0/0
>>>    rightsubnet=10.99.1.0/24
>>>    leftauth=psk
>>>    leftid=%any
>>>    right=%any
>>>    rightsourceip=10.99.1.0/24
>>>    rightauth=eap-mschapv2
>>>    rightid=%any
>>>
>>> Following is NAT IPTables entries. I get this by entering sudo
>>> iptables -t nat -L
>>>
>>> Chain PREROUTING (policy ACCEPT)
>>> target     prot opt source               destination
>>> REDIRECT   tcp  --  anywhere             anywhere             tcp
>>> dpt:http redir ports 3128
>>>
>>> Chain INPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target     prot opt source               destination
>>>
>>> Chain POSTROUTING (policy ACCEPT)
>>> target     prot opt source               destination
>>> MASQUERADE  all  --  10.99.1.0/24  anywhere
>>>
>>>
>>>
>>> If any of you have faced this problem before and was able to resolve
>>> it, can you please help me? Thanks.
>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> Thanks. Did you use any other iptables rules for strongSwan? From what
> I understand:
>
> This is needed for strongSwan
> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
>
>
> And this will be needed to connect strongSwan with Squid
> iptables -t nat -I PREROUTING  -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
>
> is that correct?




More information about the Users mailing list