[strongSwan] Cannot ping machines on remote local network

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 5 12:36:47 CEST 2017


Hi,

I just noticed that your NAT rules cause problems if you try to initiate connections to the RW, too.
Read and apply the advice from the article about NAT problems[1].

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems


On 05.09.2017 12:32, Ric S wrote:
> On Dienstag, 5. September 2017 11:28:59 CEST Noel Kuntze wrote:
>> Hi,
>>
>>> ifconfig
>>
>> Please don't use the net-tools. Use iproute2. The net-tools are woefully
>> inadequate for this day and age. They are deprecated since the early 2000s.
>>
>> Please provide the output of `ip address`, `ip route show table all`, `ip
>> rule` and `sysctl -A | grep rp_filter`.
>>
>> I suspect that at least the rp_filter needs to be set to 2.
> 
> I just set all interfaces to 2, still no go.
> 
> 
> 
> root at titan:~# ip address
> 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 65536 qdisc noqueue qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host 
>        valid_lft forever preferred_lft forever
> 2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
>     link/void 
> 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
>     link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a263:91ff:feea:2e14/64 scope link 
>        valid_lft forever preferred_lft forever
> 4: vlan1 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue master br0 
>     link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a263:91ff:feea:2e14/64 scope link 
>        valid_lft forever preferred_lft forever
> 5: vlan2 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue 
>     link/ether a0:63:91:ea:2e:15 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.5.254/24 brd 192.168.5.255 scope global vlan2:0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::a263:91ff:feea:2e15/64 scope link 
>        valid_lft forever preferred_lft forever
> 6: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0 qlen 1000
>     link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a263:91ff:feea:2e16/64 scope link 
>        valid_lft forever preferred_lft forever
> 7: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0 qlen 1000
>     link/ether a0:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a263:91ff:feea:2e17/64 scope link 
>        valid_lft forever preferred_lft forever
> 9: wl0.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
>     link/ether a2:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.10.1/24 brd 192.168.10.255 scope global wl0.1
>        valid_lft forever preferred_lft forever
>     inet6 fe80::a063:91ff:feea:2e17/64 scope link 
>        valid_lft forever preferred_lft forever
> 10: wl1.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
>     link/ether a2:63:91:ea:2e:18 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.9.1/24 brd 192.168.9.255 scope global wl1.1
>        valid_lft forever preferred_lft forever
>     inet6 fe80::a063:91ff:feea:2e18/64 scope link 
>        valid_lft forever preferred_lft forever
> 12: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue qlen 1000
>     link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
>     inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
>        valid_lft forever preferred_lft forever
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::a263:91ff:feea:2e16/64 scope link 
>        valid_lft forever preferred_lft forever
> 13: ppp0: <POINTOPOINT,MULTICAST,UP,10000> mtu 1492 qdisc fq_codel qlen 3
>     link/ppp 
>     inet 87.168.251.19 peer 62.155.242.107/32 brd 87.168.251.19 scope global ppp0
>        valid_lft forever preferred_lft forever
> root at titan:~# ip route show table all
> 192.168.0.121 via 62.155.242.107 dev ppp0  table 220  proto static  src 192.168.0.1 
> default via 62.155.242.107 dev ppp0 
> 62.155.242.107 dev ppp0  proto kernel  scope link  src 87.168.251.19 
> 127.0.0.0/8 dev lo  scope link 
> 169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1 
> 192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1 
> 192.168.5.0/24 dev vlan2  proto kernel  scope link  src 192.168.5.254 
> 192.168.9.0/24 dev wl1.1  proto kernel  scope link  src 192.168.9.1 
> 192.168.10.0/24 dev wl0.1  proto kernel  scope link  src 192.168.10.1 
> local 87.168.251.19 dev ppp0  table local  proto kernel  scope host  src 87.168.251.19 
> broadcast 87.168.251.19 dev ppp0  table local  proto kernel  scope link  src 87.168.251.19 
> broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
> local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
> local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
> broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
> broadcast 169.254.0.0 dev br0  table local  proto kernel  scope link  src 169.254.255.1 
> local 169.254.255.1 dev br0  table local  proto kernel  scope host  src 169.254.255.1 
> broadcast 169.254.255.255 dev br0  table local  proto kernel  scope link  src 169.254.255.1 
> broadcast 192.168.0.0 dev br0  table local  proto kernel  scope link  src 192.168.0.1 
> local 192.168.0.1 dev br0  table local  proto kernel  scope host  src 192.168.0.1 
> broadcast 192.168.0.255 dev br0  table local  proto kernel  scope link  src 192.168.0.1 
> broadcast 192.168.5.0 dev vlan2  table local  proto kernel  scope link  src 192.168.5.254 
> local 192.168.5.254 dev vlan2  table local  proto kernel  scope host  src 192.168.5.254 
> broadcast 192.168.5.255 dev vlan2  table local  proto kernel  scope link  src 192.168.5.254 
> broadcast 192.168.9.0 dev wl1.1  table local  proto kernel  scope link  src 192.168.9.1 
> local 192.168.9.1 dev wl1.1  table local  proto kernel  scope host  src 192.168.9.1 
> broadcast 192.168.9.255 dev wl1.1  table local  proto kernel  scope link  src 192.168.9.1 
> broadcast 192.168.10.0 dev wl0.1  table local  proto kernel  scope link  src 192.168.10.1 
> local 192.168.10.1 dev wl0.1  table local  proto kernel  scope host  src 192.168.10.1 
> broadcast 192.168.10.255 dev wl0.1  table local  proto kernel  scope link  src 192.168.10.1 
> unreachable default dev lo  table unspec  proto kernel  metric -1  error -101
> fe80::/64 dev eth0  proto kernel  metric 256 
> fe80::/64 dev vlan1  proto kernel  metric 256 
> fe80::/64 dev br0  proto kernel  metric 256 
> fe80::/64 dev eth1  proto kernel  metric 256 
> fe80::/64 dev wl0.1  proto kernel  metric 256 
> fe80::/64 dev eth2  proto kernel  metric 256 
> fe80::/64 dev wl1.1  proto kernel  metric 256 
> fe80::/64 dev vlan2  proto kernel  metric 256 
> unreachable default dev lo  table unspec  proto kernel  metric -1  error -101
> local ::1 dev lo  table local  proto none  metric 0 
> local fe80::a063:91ff:feea:2e17 dev lo  table local  proto none  metric 0 
> local fe80::a063:91ff:feea:2e18 dev lo  table local  proto none  metric 0 
> local fe80::a263:91ff:feea:2e14 dev lo  table local  proto none  metric 0 
> local fe80::a263:91ff:feea:2e14 dev lo  table local  proto none  metric 0 
> local fe80::a263:91ff:feea:2e15 dev lo  table local  proto none  metric 0 
> local fe80::a263:91ff:feea:2e16 dev lo  table local  proto none  metric 0 
> local fe80::a263:91ff:feea:2e16 dev lo  table local  proto none  metric 0 
> local fe80::a263:91ff:feea:2e17 dev lo  table local  proto none  metric 0 
> ff00::/8 dev eth0  table local  metric 256 
> ff00::/8 dev vlan1  table local  metric 256 
> ff00::/8 dev br0  table local  metric 256 
> ff00::/8 dev eth1  table local  metric 256 
> ff00::/8 dev wl0.1  table local  metric 256 
> ff00::/8 dev eth2  table local  metric 256 
> ff00::/8 dev wl1.1  table local  metric 256 
> ff00::/8 dev vlan2  table local  metric 256 
> unreachable default dev lo  table unspec  proto kernel  metric -1  error -101
> root at titan:~# ip rule
> 0:      from all lookup local 
> 220:    from all lookup 220 
> 32766:  from all lookup main 
> 32767:  from all lookup default 
> root at titan:~# sysctl -A | grep rp_filter
> net.ipv4.conf.all.arp_filter = 0
> net.ipv4.conf.all.rp_filter = 2
> net.ipv4.conf.br0.arp_filter = 0
> net.ipv4.conf.br0.rp_filter = 2
> net.ipv4.conf.default.arp_filter = 0
> net.ipv4.conf.default.rp_filter = 2
> net.ipv4.conf.eth0.arp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 2
> net.ipv4.conf.eth1.arp_filter = 0
> net.ipv4.conf.eth1.rp_filter = 2
> net.ipv4.conf.eth2.arp_filter = 0
> net.ipv4.conf.eth2.rp_filter = 2
> net.ipv4.conf.lo.arp_filter = 0
> net.ipv4.conf.lo.rp_filter = 2
> net.ipv4.conf.ppp0.arp_filter = 0
> net.ipv4.conf.ppp0.rp_filter = 2
> net.ipv4.conf.teql0.arp_filter = 0
> net.ipv4.conf.teql0.rp_filter = 2
> net.ipv4.conf.vlan1.arp_filter = 0
> net.ipv4.conf.vlan1.rp_filter = 2
> net.ipv4.conf.vlan2.arp_filter = 0
> net.ipv4.conf.vlan2.rp_filter = 2
> net.ipv4.conf.wl0.1.arp_filter = 0
> net.ipv4.conf.wl0.1.rp_filter = 2
> net.ipv4.conf.wl1.1.arp_filter = 0
> net.ipv4.conf.wl1.1.rp_filter = 2
> 
> 
>>
>>> Just a dynamic ip, who cares.
>>
>> Enough people that it's RFC'd[1].
> 
> 
> Sure but it doesn't hurt and makes sure you got the right info.
> 
>>
>> Kind regards
>>
>> Noel
>>
>> [1] https://tools.ietf.org/html/rfc1918#section-3
>>
>> On 05.09.2017 11:06, Ric S wrote:
>>> Current configs now:
>>>
>>> strongswan.conf:
>>>
>>> charon {
>>> plugins {
>>>
>>>         dhcp {
>>>         force_server_address = yes
>>>         server = 192.168.0.1
>>>         identity_lease = yes
>>>         }
>>>         farp {
>>>         load = yes
>>>         }
>>>
>>> }}
>>>
>>> dns1 = 8.8.8.8
>>> dns1 = 8.8.8.4
>>>
>>> ipsec.conf:
>>>
>>> config setup
>>>
>>>  charondebug="net 2, knl 2, cfg 2"
>>>
>>> conn ikev2
>>>
>>>  keyexchange=ikev2
>>>  ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
>>>  -sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha25
>>>  6-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sh
>>>  a1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
>>>  esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes
>>>  128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256
>>>  ,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes12
>>>  8-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
>>>  dpdaction=clear
>>>  dpddelay=60s
>>>  leftfirewall=yes
>>>  lefthostaccess=yes
>>>  leftid=carone.ddns.net
>>>  leftsubnet=192.168.0.0/24
>>>  leftcert=host-vpn.der
>>>  leftsendcert=always
>>>  right=%any
>>>  rightauth=eap-tls
>>>  rightsourceip=%dhcp
>>>  eap_identity=%any
>>>  auto=add
>>>
>>> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
>>>> Hi,
>>>>
>>>>> type=passthrough
>>>
>>> Removed it, also did not use it previous attempts.
>>>
>>>> You're sabotaging yourself. There is no IPsec processing happening with
>>>> type=passthrough
>>>>
>>>>> threads = 8
>>>
>>> Removed.
>>>
>>>> You're doing it again. That can lock up the daemon later. Don't do that.
>>>> Luckily, the setting is outside the valid configuration block, so it's
>>>> invalid and ignored.
>>>>
>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>>>
>>> I removed it. Just for the record these are my interfaces:
>>>
>>> ifconfig
>>> br0       Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
>>>
>>>           inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
>>>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:1000
>>>           RX bytes:585507 (571.7 KiB)  TX bytes:3738948 (3.5 MiB)
>>>
>>> br0:0     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
>>>
>>>           inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>
>>> eth0      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14
>>>
>>>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:1000
>>>           RX bytes:1941972 (1.8 MiB)  TX bytes:9910375 (9.4 MiB)
>>>           Interrupt:179 Base address:0x4000
>>>
>>> eth1      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
>>>
>>>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:1000
>>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>>>           Interrupt:163
>>>
>>> eth2      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:17
>>>
>>>           inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:1000
>>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>>>           Interrupt:169
>>>
>>> lo        Link encap:Local Loopback
>>>
>>>           inet addr:127.0.0.1  Mask:255.0.0.0
>>>           inet6 addr: ::1/128 Scope:Host
>>>           UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
>>>           RX packets:425 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:1
>>>           RX bytes:53057 (51.8 KiB)  TX bytes:53057 (51.8 KiB)
>>>
>>> ppp0      Link encap:Point-to-Point Protocol
>>>
>>>           inet addr:87.168.251.19  P-t-P:62.155.242.107 
>>>           Mask:255.255.255.255
>>>           UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
>>>           RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:3
>>>           RX bytes:470447 (459.4 KiB)  TX bytes:160357 (156.5 KiB)
>>>
>>> vlan1     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14
>>>
>>>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:0
>>>           RX bytes:759337 (741.5 KiB)  TX bytes:9462367 (9.0 MiB)
>>>
>>> vlan2     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15
>>>
>>>           inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
>>>           TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:0
>>>           RX bytes:916985 (895.4 KiB)  TX bytes:397032 (387.7 KiB)
>>>
>>> vlan2:0   Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15
>>>
>>>           inet addr:192.168.5.254  Bcast:192.168.5.255  Mask:255.255.255.0
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>
>>> wl0.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:17
>>>
>>>           inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
>>>           inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
>>>           TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:1000
>>>           RX bytes:538878 (526.2 KiB)  TX bytes:998737 (975.3 KiB)
>>>
>>> wl1.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:18
>>>
>>>           inet addr:192.168.9.1  Bcast:192.168.9.255  Mask:255.255.255.0
>>>           inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>           collisions:0 txqueuelen:1000
>>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>>>>
>>>> Unnecessary.
>>>>
>>>>> left=%defaultroute
>>>
>>> Removed.
>>>
>>>> Unnecessary.
>>>>
>>>>> kernel-pfkey
>>>>
>>>> Plugin for the legacy IPsec API. Don't use it.
>>>>
>>>>> ping R6400
>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>>>>>
>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>>>>
>>>>> Unreachable
>>>>>
>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>>>>
>>>>> Unreachable
>>>
>>> Just a dynamic ip, who cares.
>>>
>>>> Your next hop is sending that error. You're leaking private address into
>>>> the WAN. That is forbidden. Don't do that.
>>>>
>>>>> Routers iptable output:
>>>>>
>>>>> iptables -vnL
>>>>
>>>> The output is unusable. Provide the output of `iptables-save`.
>>>
>>> I disabled a few features, e.g. QOS in order to reduce the output
>>>
>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
>>> *raw
>>>
>>> :PREROUTING ACCEPT [12217:1705679]
>>> :OUTPUT ACCEPT [9354:9118762]
>>>
>>> COMMIT
>>> # Completed on Tue Sep  5 10:42:27 2017
>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
>>> *nat
>>>
>>> :PREROUTING ACCEPT [285:28593]
>>> :INPUT ACCEPT [604:43260]
>>> :OUTPUT ACCEPT [47:3676]
>>> :POSTROUTING ACCEPT [47:3676]
>>>
>>> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination
>>> 192.168.0.1
>>> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto --trigger-match
>>> 0-0 --trigger-relate 0-0 -A POSTROUTING -o vlan2 -j MASQUERADE
>>> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT --to-source
>>> 87.168.251.19 -A POSTROUTING -m mark  --mark0x80000000/0x80000000 -j
>>> MASQUERADE
>>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT --to-source
>>> 87.168.251.19 -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j SNAT
>>> --to-source 87.168.251.19 COMMIT
>>> # Completed on Tue Sep  5 10:42:27 2017
>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
>>> *mangle
>>>
>>> :PREROUTING ACCEPT [3009:537902]
>>> :INPUT ACCEPT [8937:741571]
>>> :FORWARD ACCEPT [2521:798226]
>>> :OUTPUT ACCEPT [2190:2277003]
>>> :POSTROUTING ACCEPT [11882:9919352]
>>>
>>> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK  --set-xmark
>>> 0x80000000/0x80000000 -A PREROUTING -j CONNMARK --save-mark
>>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
>>> --clamp-mss-to-pmtu COMMIT
>>> # Completed on Tue Sep  5 10:42:27 2017
>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
>>> *filter
>>>
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [111:17285]
>>> :advgrp_1 - [0:0]
>>> :advgrp_10 - [0:0]
>>> :advgrp_2 - [0:0]
>>> :advgrp_3 - [0:0]
>>> :advgrp_4 - [0:0]
>>> :advgrp_5 - [0:0]
>>> :advgrp_6 - [0:0]
>>> :advgrp_7 - [0:0]
>>> :advgrp_8 - [0:0]
>>> :advgrp_9 - [0:0]
>>> :grp_1 - [0:0]
>>> :grp_10 - [0:0]
>>> :grp_2 - [0:0]
>>> :grp_3 - [0:0]
>>> :grp_4 - [0:0]
>>> :grp_5 - [0:0]
>>> :grp_6 - [0:0]
>>> :grp_7 - [0:0]
>>> :grp_8 - [0:0]
>>> :grp_9 - [0:0]
>>> :lan2wan - [0:0]
>>> :logaccept - [0:0]
>>> :logdrop - [0:0]
>>> :logreject - [0:0]
>>> :trigger_out - [0:0]
>>>
>>> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy
>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A INPUT -p udp -m
>>> udp --dport 4500 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>>> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
>>> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
>>> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
>>> -A INPUT -p udp -m udp --dport 520 -j logaccept
>>> -A INPUT -i br0 -j logaccept
>>> -A INPUT -i ppp0 -p icmp -j logdrop
>>> -A INPUT -p igmp -j logdrop
>>> -A INPUT -i lo -m state --state NEW -j ACCEPT
>>> -A INPUT -i br0 -m state --state NEW -j logaccept
>>> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
>>> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
>>> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
>>> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
>>> -A INPUT -i wl0.1 -j logaccept
>>> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
>>> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
>>> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
>>> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
>>> -A INPUT -i wl1.1 -j logaccept
>>> -A INPUT -j logdrop
>>> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy
>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
>>> 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out
>>> --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s 192.168.0.10 -d
>>> 194.25.134.46 -j ACCEPT
>>> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
>>> -A FORWARD -s 192.168.0.10 -j LOG
>>> -A FORWARD -s 192.168.0.10 -j DROP
>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
>>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW -j
>>> logdrop -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state --state
>>> NEW -j logdrop -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre -j
>>> logaccept -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m tcp
>>> --dport 1723 -j logaccept -A FORWARD -i wl0.1 -j logaccept
>>> -A FORWARD -i wl1.1 -j logaccept
>>> -A FORWARD -j lan2wan
>>> -A FORWARD -i br0 -o br0 -j logaccept
>>> -A FORWARD -i br0 -o ppp0 -j logaccept
>>> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0
>>> --trigger-relate 0-0 -A FORWARD -i br0 -j trigger_out
>>> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
>>> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
>>> -A FORWARD -i br0 -m state --state NEW -j logaccept
>>> -A FORWARD -j logdrop
>>> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy
>>> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT -A OUTPUT -o br0 -j
>>> logaccept
>>> -A logaccept -j ACCEPT
>>> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP "
>>> --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -m state
>>> --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence
>>> --log-tcp-options --log-ip-options -A logdrop -j DROP
>>> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence
>>> --log-tcp-options --log-ip-options -A logreject -p tcp -j REJECT
>>> --reject-with tcp-reset
>>> COMMIT
>>> # Completed on Tue Sep  5 10:42:27 2017
>>>
>>>>> I have tried so many thinsg, but still cannot ping from either side or
>>>>> access
>>>>> any local machines.
>>>>> Does anyone have a clue? Can I provide additional info?
>>>>
>>>> You're having no success because you're trying ramdom shit from the
>>>> Internet. About 99,999% of the strongSwan related information on third
>>>> party sites is wither well ng or of questinable quality. Don't get your
>>>> information from any place but the project's website.
>>>
>>> Well that's what I did in the first place and it also lacks info, e.g. it
>>> did not list all of the required kernel modules, took my a bit to find
>>> out which modules it needs as it did not complain at startup, but
>>> requested features at runtime which were not there, e.g. a STD RNG.
>>>
>>>
>>> Thanks for any hints, hope the above info helps.
>>>
>>> Cheers Richard
>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
>>>>> Hi folks,
>>>>>
>>>>> I have been ripping my hair out with this issue.
>>>>>
>>>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
>>>>> 192.168.0.1/24.
>>>>> I can successfully connect to it with an Ipad with ikev2 and surf the
>>>>> internet, but I cannot reach any internal machines.
>>>>>
>>>>> My config is the following:
>>>>>
>>>>> ipsec.conf:
>>>>>
>>>>> config setup
>>>>>
>>>>> charondebug="net 2, knl 2, cfg 2"
>>>>>
>>>>> conn ikev2
>>>>>
>>>>> keyexchange=ikev2
>>>>>
>>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes12
>>>>> 8-
>>>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
>>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes
>>>>> 128
>>>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
>>>>>
>>>>> dpdaction=clear
>>>>> dpddelay=60s
>>>>> left=%defaultroute
>>>>> leftfirewall=yes
>>>>> lefthostaccess=yes
>>>>> leftid=myname.ddns.net
>>>>> leftsubnet=192.168.0.0/24
>>>>> leftcert=host-vpn.der
>>>>> leftsendcert=always
>>>>> right=%any
>>>>> rightauth=eap-tls
>>>>> rightsourceip=%dhcp
>>>>> eap_identity=%any
>>>>> type=passthrough
>>>>> auto=add
>>>>>
>>>>> strongswanf.conf:
>>>>>
>>>>> charon {
>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>>>>> plugins {
>>>>>
>>>>>        dhcp {
>>>>>        force_server_address = yes
>>>>>        server = 192.168.0.1
>>>>>        identity_lease = yes
>>>>>        }
>>>>>        farp {
>>>>>        load = yes
>>>>>        }
>>>>>
>>>>> }}
>>>>>
>>>>> threads = 8
>>>>> dns1 = 8.8.8.8
>>>>> dns1 = 8.8.8.4
>>>>>
>>>>>
>>>>>
>>>>> Status:
>>>>>
>>>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
>>>>>  uptime: 14 minutes, since Sep 05 00:09:53 2017
>>>>>  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>>>
>>>>> scheduled: 8
>>>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
>>>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
>>>>> pkcs12 pgp
>>>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
>>>>> sqlite
>>>>> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
>>>>> vici
>>>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
>>>>> xauth-
>>>>> generic xauth-eap dhcp whitelist led duplicheck
>>>>>
>>>>> Listening IP addresses:
>>>>>  169.254.255.1
>>>>>  192.168.0.1
>>>>>  87.168.243.83
>>>>>
>>>>> Connections:
>>>>>       ikev2:  %any...%any  IKEv2, dpddelay=60s
>>>>>      
>>>>>      ikev2:   local:  [myname.ddns.net] uses public key authentication
>>>>>      
>>>>>       ikev2:    cert:  "C=DE, O=MYORG, CN=myname.ddns.net"
>>>>>  
>>>>>  ikev2:   remote: uses EAP_TLS authentication with EAP identity '%any'
>>>>>  
>>>>>      ikev2:   child:  192.168.0.0/24 === dynamic PASS, dpdaction=clear
>>>>>
>>>>> Security Associations (1 up, 0 connecting):
>>>>> ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]...
>>>>> 109.43.1.19[R6400]
>>>>>
>>>>>  ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
>>>>>
>>>>> key reauthentication in 2 hours
>>>>>
>>>>>       ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
>>>>>
>>>>> MODP_1024
>>>>>
>>>>>    ikev2{4}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
>>>>>
>>>>> 04eb0f50_o
>>>>>
>>>>>       ikev2{4}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
>>>>>
>>>>> rekeying in 48 minutes
>>>>>
>>>>>       ikev2{4}:   192.168.0.0/24 === 192.168.0.121/32
>>>>>
>>>>> swanctl --list-sas
>>>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
>>>>>
>>>>>  local  'myname.ddns.net' @ 87.168.243.83[4500]
>>>>>  remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
>>>>>  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>>  established 92s ago, reauth in 9765s
>>>>>  ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
>>>>>
>>>>> HMAC_SHA2_256_128
>>>>>
>>>>>    installed 89s ago, rekeying in 2800s, expires in 3511s
>>>>>    in  c0983fe7,      0 bytes,     0 packets
>>>>>    out 04eb0f50,      0 bytes,     0 packets
>>>>>    local  192.168.0.0/24
>>>>>    remote 192.168.0.121/32
>>>>>
>>>>> ip route list table 220
>>>>> 192.168.0.121 via 62.155.242.107 dev ppp0  proto static  src
>>>>> 192.168.0.1
>>>>>
>>>>> FARP seems to work, this is a ping from one of the local machines:
>>>>>
>>>>> ping R6400
>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>>>>>
>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>>>>
>>>>> Unreachable
>>>>>
>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>>>>
>>>>> Unreachable
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/f5fe4d96/attachment-0001.sig>


More information about the Users mailing list