[strongSwan] Connect strongSwan and Squid on same server
Moataz Elmasry
moataz.elmasry2 at gmail.com
Wed Jan 18 17:58:40 CET 2017
Correct. No additional rules should be needed
On 01/18/2017 05:47 PM, Varun Singh wrote:
> On Wed, Jan 18, 2017 at 10:11 PM, Moataz Elmasry
> <moataz.elmasry2 at gmail.com> wrote:
>> Hi,
>>
>> I just had a similar problem, here's how I solved it:
>> - Assume strongswan is configured to hand out IPs from 10.3.0.0/16
>> Then:
>> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
>> iptables -t nat -I PREROUTING -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
>> --to-ports 3128
>>
>> The first rule will masquarde the traffic as usual from the private to the
>> public network. You need this anyway
>> The second rule will redirect the traffic ONLY from your subnet to squid.
>>
>>
>>
>>
>> On 01/18/2017 05:33 PM, Varun Singh wrote:
>>> Hi,
>>> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
>>> 16.04 server and I am trying to connect both. By connect I mean, I am
>>> trying to achieve following:
>>>
>>> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
>>>
>>> My objective is to connect a VPN client to VPN server and use Squid
>>> for filtering out blocked Urls. strongSwan and Squid work fine on
>>> their own. I can access internet when connected to VPN server and also
>>> when configured HTTP Proxy without VPN.
>>>
>>> From what I understand, to achieve what I want, I am supposed to
>>> redirect incoming HTTP traffic from port 80 to port using IPTables. I
>>> enter following IPTables rule:
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>>
>>> Once I do this and try to access internet from a connected VPN client,
>>> I get error. Pasting a log of /var/log/squid/access.log
>>>
>>>
>>> 1484738365.632 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>>> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
>>> 1484738365.642 0 114.143.194.190 TCP_DENIED/403 4870 GET
>>>
>>> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
>>> - HIER_NONE/- text/html
>>> 1484738365.643 0 114.143.194.190 TCP_DENIED/403 4852 GET
>>> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
>>> - HIER_NONE/- text/html
>>> 1484738365.731 0 114.143.194.190 TCP_DENIED/403 4753 GET
>>> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
>>> 1484738365.760 0 114.143.194.190 TCP_DENIED/403 4817 GET
>>> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
>>> - HIER_NONE/- text/html
>>> 1484738367.798 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>>> init.itunes.apple.com:443 - HIER_NONE/- text/html
>>> 1484738367.922 0 114.143.194.190 TCP_DENIED/403 4334 GET
>>> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
>>> HIER_NONE/- text/html
>>> 1484738367.963 0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
>>> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
>>> 1484738368.036 0 114.143.194.190 TCP_DENIED/403 4298 GET
>>> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
>>> text/html
>>> 1484738368.148 0 114.143.194.190 TCP_DENIED/403 4352 GET
>>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484738368.255 0 114.143.194.190 TCP_DENIED/403 4352 GET
>>> http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484738368.296 0 114.143.194.190 TCP_DENIED/403 4316 GET
>>> http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
>>> text/html
>>> 1484738368.348 0 114.143.194.190 TCP_DENIED/403 4253 GET
>>> http://www.apple.com/favicon.ico - HIER_NONE/- text/html
>>> 1484738376.374 0 114.143.194.190 TCP_DENIED/403 4655 GET
>>> http://www.apple.com/ - HIER_NONE/- text/html
>>> 1484738376.456 0 114.143.194.190 TCP_DENIED/403 4711 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484738385.761 0 114.143.194.190 TCP_DENIED/403 4655 GET
>>> http://www.apple.com/ - HIER_NONE/- text/html
>>> 1484738385.828 0 114.143.194.190 TCP_DENIED/403 4747 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484738858.272 0 10.99.1.1 TAG_NONE/400 4154 GET
>>>
>>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>>> - HIER_NONE/- text/html
>>> 1484738858.990 0 10.99.1.1 TAG_NONE/400 4004 GET
>>> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
>>> 1484738860.362 0 10.99.1.1 TAG_NONE/400 5350 GET
>>>
>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>> - HIER_NONE/- text/html
>>> 1484739056.258 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484739056.480 0 10.99.1.1 TCP_DENIED/403 4290 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484739057.106 0 10.99.1.1 TAG_NONE/400 3994 GET
>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>> 1484739057.166 0 10.99.1.1 TAG_NONE/400 3970 GET
>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>> 1484739057.211 0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739057.267 0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739057.340 0 10.99.1.1 TAG_NONE/400 3982 GET
>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>> 1484739057.436 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>>> HIER_NONE/- text/html
>>> 1484739060.563 0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
>>> HIER_NONE/- text/html
>>> 1484739071.241 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484739071.439 0 10.99.1.1 TCP_DENIED/403 4290 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484739092.972 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484739093.151 0 10.99.1.1 TCP_DENIED/403 4621 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484739093.306 0 10.99.1.1 TAG_NONE/400 3994 GET
>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>> 1484739093.364 0 10.99.1.1 TAG_NONE/400 3970 GET
>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>> 1484739093.427 0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739093.480 0 10.99.1.1 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484739093.529 0 10.99.1.1 TAG_NONE/400 3982 GET
>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>> 1484739093.578 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
>>> HIER_NONE/- text/html
>>> 1484741172.545 0 123.240.104.249 TAG_NONE/400 3924 GET / -
>>> HIER_NONE/- text/html
>>> 1484742330.250 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742335.479 0 10.99.1.2 TAG_NONE/400 4220
>>>
>>> %E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>>> - HIER_NONE/- text/html
>>> 1484742335.538 0 10.99.1.2 TAG_NONE/400 4234
>>>
>>> %BB%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
>>> - HIER_NONE/- text/html
>>> 1484742335.605 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742335.691 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742339.640 0 10.99.1.2 TAG_NONE/400 4022
>>> %C6%CF%91Pv%85%82l%DEbD%1F%E0 - HIER_NONE/- text/html
>>> 1484742339.697 0 10.99.1.2 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484742339.885 0 10.99.1.2 TCP_DENIED/403 4556 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- text/html
>>> 1484742340.105 0 10.99.1.2 TAG_NONE/400 3994 GET
>>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
>>> 1484742340.195 0 10.99.1.2 TAG_NONE/400 3970 GET
>>> /apple-touch-icon-76x76.png - HIER_NONE/- text/html
>>> 1484742340.258 0 10.99.1.2 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484742340.309 0 10.99.1.2 TAG_NONE/400 3958 GET
>>> /apple-touch-icon.png - HIER_NONE/- text/html
>>> 1484742340.359 0 10.99.1.2 TAG_NONE/400 3982 GET
>>> /apple-touch-icon-precomposed.png - HIER_NONE/- text/html
>>> 1484742340.413 0 10.99.1.2 TAG_NONE/400 3940 GET /favicon.ico -
>>> HIER_NONE/- text/html
>>> 1484742378.858 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742510.612 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484742517.730 0 10.99.1.2 TAG_NONE/400 4444 NONE
>>> error:invalid-request - HIER_NONE/- text/html
>>> 1484744550.653 0 10.99.1.2 TAG_NONE/400 4174 GET
>>>
>>> /MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFHQkFGcGn%2FXgmD9ePhproGUqVBV1BBQBWavn3ToLWaZkY9bPIAdX1ZHnagIQBHT%2BRrNCtgO6lb6fVDjflA%3D%3D
>>> - HIER_NONE/- text/html
>>> 1484744597.163 0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>> text/html
>>> 1484744597.361 0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>> HIER_NONE/- text/html
>>> 1484744599.970 0 10.99.1.1 TAG_NONE/400 5352 GET
>>>
>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s62860188740305?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A19%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=2&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>> - HIER_NONE/- text/html
>>> 1484744606.878 0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>> text/html
>>> 1484744606.879 0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>> HIER_NONE/- text/html
>>> 1484744608.852 0 10.99.1.1 TAG_NONE/400 5352 GET
>>>
>>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s68294376337435?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A28%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2FI
>>> do this and try to access internet from a connected
>>> V&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=3&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>>>
>>> - HIER_NONE/- text/html
>>> 1484744615.457 0 10.99.1.1 TAG_NONE/400 4022 GET
>>> /ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
>>> text/html
>>> 1484744615.526 0 10.99.1.1 TAG_NONE/400 4008 GET
>>> /metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/- text/html
>>> 1484744615.587 0 10.99.1.1 TAG_NONE/400 4034 GET
>>> /ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
>>> HIER_NONE/- text/html
>>> 1484744625.891 0 10.99.1.1 TAG_NONE/400 3952 GET
>>> /retail/geniusbar/ - HIER_NONE/- text/html
>>> 1484744626.062 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- image/png
>>> 1484744643.114 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/-
>>> text/html
>>> 1484744643.268 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
>>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>>> HIER_NONE/- image/png
>>> 1484746410.764 0 108.189.96.202 TAG_NONE/400 3923 GET / -
>>> HIER_NONE/- text/html
>>> 1484751091.543 0 153.142.43.105 TAG_NONE/400 3923 GET / -
>>> HIER_NONE/- text/html
>>>
>>>
>>> My /etc/squid/squid.conf file has only one change and that is:
>>> http_access allow all
>>>
>>>
>>>
>>> Following is my /etc/ipsec.conf file:
>>> config setup
>>> strictcrlpolicy=no
>>> uniqueids = no
>>>
>>> conn %default
>>> mobike=yes
>>> dpdaction=clear
>>> dpddelay=35s
>>> dpdtimeout=200s
>>> fragmentation=yes
>>>
>>> conn iOS-IKEV2
>>> auto=add
>>> keyexchange=ike
>>> eap_identity=%any
>>> left=%any
>>> leftsubnet=0.0.0.0/0
>>> rightsubnet=10.99.1.0/24
>>> leftauth=psk
>>> leftid=%any
>>> right=%any
>>> rightsourceip=10.99.1.0/24
>>> rightauth=eap-mschapv2
>>> rightid=%any
>>>
>>> Following is NAT IPTables entries. I get this by entering sudo
>>> iptables -t nat -L
>>>
>>> Chain PREROUTING (policy ACCEPT)
>>> target prot opt source destination
>>> REDIRECT tcp -- anywhere anywhere tcp
>>> dpt:http redir ports 3128
>>>
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain POSTROUTING (policy ACCEPT)
>>> target prot opt source destination
>>> MASQUERADE all -- 10.99.1.0/24 anywhere
>>>
>>>
>>>
>>> If any of you have faced this problem before and was able to resolve
>>> it, can you please help me? Thanks.
>>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> Thanks. Did you use any other iptables rules for strongSwan? From what
> I understand:
>
> This is needed for strongSwan
> iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o eth0 -j MASQUERADE
>
>
> And this will be needed to connect strongSwan with Squid
> iptables -t nat -I PREROUTING -s 10.3.0.0/16 -p tcp --dport 80 -j REDIRECT
>
> is that correct?
More information about the Users
mailing list