[strongSwan] Roadwarriors can't ping eachother

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Sep 9 16:34:25 CEST 2017


Hi Bas,

Well, you need to accept ESP packets obviously, if you don't use UDP encapsulation.
Other than that, make sure ip forwarding is enabled globally on moon and it is enabled for the involved interfaces.
On top of that, make sure the iptables rules in *filter FORWARD permit the traffic from Alice to Bob.

Right now, you don't accept ESP packets, but it seems your tunnels use that. Check where the net unreachable comes from.

Kind regards

Noel

On 09.09.2017 16:16, Bas van Dijk wrote:
> (I removed the NFLOG rules)
> 
> [alice] $ iptables-save -c 
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:40 2017
> *nat
> :PREROUTING ACCEPT [4:256]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [4:2672]
> :POSTROUTING ACCEPT [4:2672]
> COMMIT
> # Completed on Sat Sep  9 14:02:40 2017
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:40 2017
> *raw
> :PREROUTING ACCEPT [18:6158]
> :OUTPUT ACCEPT [16:8534]
> :nixos-fw-rpfilter - [0:0]
> [18:6158] -A PREROUTING -j nixos-fw-rpfilter
> [18:6158] -A nixos-fw-rpfilter -m rpfilter -j RETURN
> [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 <http://0.0.0.0/32> -d 255.255.255.255/32 <http://255.255.255.255/32> -p udp -m udp --sport 68 --dport 67 -j RETURN
> [0:0] -A nixos-fw-rpfilter -j DROP
> COMMIT
> # Completed on Sat Sep  9 14:02:40 2017
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:40 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :nixos-fw - [0:0]
> :nixos-fw-accept - [0:0]
> :nixos-fw-log-refuse - [0:0]
> :nixos-fw-refuse - [0:0]
> [0:0] -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [18:6158] -A INPUT -j nixos-fw
> [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [0:0] -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [0:0] -A OUTPUT -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [2:1152] -A nixos-fw -i lo -j nixos-fw-accept
> [10:4622] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
> [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> [6:384] -A nixos-fw -j nixos-fw-log-refuse
> [12:5774] -A nixos-fw-accept -j ACCEPT
> [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> [6:384] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
> [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
> [6:384] -A nixos-fw-refuse -j DROP
> COMMIT
> # Completed on Sat Sep  9 14:02:40 2017
> 
> [alice] $ sysctl -A | grep rp_filter 
> net.ipv4.conf.all.arp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.default.arp_filter = 0
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.eth0.arp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 0
> net.ipv4.conf.eth1.arp_filter = 0
> net.ipv4.conf.eth1.rp_filter = 0
> net.ipv4.conf.lo.arp_filter = 0
> net.ipv4.conf.lo.rp_filter = 0
> 
> [carol] $ iptables-save -c 
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:56 2017
> *nat
> :PREROUTING ACCEPT [2:128]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [3:2002]
> :POSTROUTING ACCEPT [3:2002]
> COMMIT
> # Completed on Sat Sep  9 14:02:56 2017
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:56 2017
> *raw
> :PREROUTING ACCEPT [7:1983]
> :OUTPUT ACCEPT [5:2374]
> :nixos-fw-rpfilter - [0:0]
> [7:1983] -A PREROUTING -j nixos-fw-rpfilter
> [7:1983] -A nixos-fw-rpfilter -m rpfilter -j RETURN
> [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 <http://0.0.0.0/32> -d 255.255.255.255/32 <http://255.255.255.255/32> -p udp -m udp --sport 68 --dport 67 -j RETURN
> [0:0] -A nixos-fw-rpfilter -j DROP
> COMMIT
> # Completed on Sat Sep  9 14:02:56 2017
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:56 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :nixos-fw - [0:0]
> :nixos-fw-accept - [0:0]
> :nixos-fw-log-refuse - [0:0]
> :nixos-fw-refuse - [0:0]
> [0:0] -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [7:1983] -A INPUT -j nixos-fw
> [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [0:0] -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [0:0] -A OUTPUT -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> [0:0] -A nixos-fw -i lo -j nixos-fw-accept
> [3:1727] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
> [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> [4:256] -A nixos-fw -j nixos-fw-log-refuse
> [3:1727] -A nixos-fw-accept -j ACCEPT
> [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> [4:256] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
> [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
> [4:256] -A nixos-fw-refuse -j DROP
> COMMIT
> # Completed on Sat Sep  9 14:02:56 2017
> 
> [carol] $ sysctl -A | grep rp_filter 
> net.ipv4.conf.all.arp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.default.arp_filter = 0
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.eth0.arp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 0
> net.ipv4.conf.eth1.arp_filter = 0
> net.ipv4.conf.eth1.rp_filter = 0
> net.ipv4.conf.lo.arp_filter = 0
> net.ipv4.conf.lo.rp_filter = 0
> 
> [moon] $ iptables-save -c 
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:37 2017
> *nat
> :PREROUTING ACCEPT [5:4546]
> :INPUT ACCEPT [5:4546]
> :OUTPUT ACCEPT [1:64]
> :POSTROUTING ACCEPT [1:64]
> COMMIT
> # Completed on Sat Sep  9 14:02:37 2017
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:37 2017
> *raw
> :PREROUTING ACCEPT [15:8288]
> :OUTPUT ACCEPT [15:6477]
> :nixos-fw-rpfilter - [0:0]
> [15:8288] -A PREROUTING -j nixos-fw-rpfilter
> [15:8288] -A nixos-fw-rpfilter -m rpfilter -j RETURN
> [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 <http://0.0.0.0/32> -d 255.255.255.255/32 <http://255.255.255.255/32> -p udp -m udp --sport 68 --dport 67 -j RETURN
> [0:0] -A nixos-fw-rpfilter -j DROP
> COMMIT
> # Completed on Sat Sep  9 14:02:37 2017
> # Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:37 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2:1432]
> :nixos-fw - [0:0]
> :nixos-fw-accept - [0:0]
> :nixos-fw-log-refuse - [0:0]
> :nixos-fw-refuse - [0:0]
> [15:8288] -A INPUT -j nixos-fw
> [0:0] -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 3 --proto esp -j ACCEPT
> [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <http://10.0.0.2/32> -o eth1 -m policy --dir out --pol ipsec --reqid 3 --proto esp -j ACCEPT
> [0:0] -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT
> [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <http://10.0.0.1/32> -o eth1 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT
> [0:0] -A nixos-fw -i lo -j nixos-fw-accept
> [5:2328] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
> [4:3152] -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept
> [4:2680] -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept
> [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> [2:128] -A nixos-fw -j nixos-fw-log-refuse
> [13:8160] -A nixos-fw-accept -j ACCEPT
> [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> [2:128] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
> [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
> [2:128] -A nixos-fw-refuse -j DROP
> COMMIT
> # Completed on Sat Sep  9 14:02:37 2017
> 
> [moon] $ sysctl -A | grep rp_filter 
> net.ipv4.conf.all.arp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.default.arp_filter = 0
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.eth0.arp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 0
> net.ipv4.conf.eth1.arp_filter = 0
> net.ipv4.conf.eth1.rp_filter = 0
> net.ipv4.conf.lo.arp_filter = 0
> net.ipv4.conf.lo.rp_filter = 0
> 
> BTW note that if I execute the following on all hosts:
> 
> $ iptables --insert INPUT --protocol ESP --jump ACCEPT
> 
> pinging from alice to carol will actually give a "Destination Net Unreachable" error instead of not giving any output:
> 
> [alice] $ ping -c 10.0.0.2
> PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
> From 192.168.1.3 icmp_seq=1 Destination Net Unreachable
> 
> --- 10.0.0.2 ping statistics ---
> 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
> 
> 
> On 9 September 2017 at 15:57, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>> wrote:
> 
>     Hi Bas,
> 
>     Please provide the outputs of `iptables-save -c` on all hosts
>     and the output of `sysctl -A | grep rp_filter`. `iptables -S` is not useful.
> 
>     Kind regards
> 
>     Noel
> 
>     On 09.09.2017 15 <tel:09.09.2017%2015>:50, Bas van Dijk wrote:
>     > Hi Noel,
>     >
>     > These are the firewall rules of all hosts after establishing the tunnels (all the NFLOG rules will be removed eventually, they're currently used for debugging):
>     >
>     > [alice] $ iptables -S 
>     > -P INPUT ACCEPT
>     > -P FORWARD ACCEPT
>     > -P OUTPUT ACCEPT
>     > -N nixos-fw
>     > -N nixos-fw-accept
>     > -N nixos-fw-log-refuse
>     > -N nixos-fw-refuse
>     > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -d 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5
>     > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5
>     > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
>     > -A INPUT -p ah -j NFLOG --nflog-group 5
>     > -A INPUT -p esp -j NFLOG --nflog-group 5
>     > -A INPUT -j nixos-fw
>     > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -d 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A OUTPUT -s 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
>     > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
>     > -A OUTPUT -p ah -j NFLOG --nflog-group 5
>     > -A OUTPUT -p esp -j NFLOG --nflog-group 5
>     > -A nixos-fw -i lo -j nixos-fw-accept
>     > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
>     > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
>     > -A nixos-fw -j nixos-fw-log-refuse
>     > -A nixos-fw-accept -j ACCEPT
>     > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6
>     > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
>     > -A nixos-fw-log-refuse -j nixos-fw-refuse
>     > -A nixos-fw-refuse -j DROP
>     >
>     > [carol] $ iptables -S 
>     > -P INPUT ACCEPT
>     > -P FORWARD ACCEPT
>     > -P OUTPUT ACCEPT
>     > -N nixos-fw
>     > -N nixos-fw-accept
>     > -N nixos-fw-log-refuse
>     > -N nixos-fw-refuse
>     > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -d 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5
>     > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5
>     > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
>     > -A INPUT -p ah -j NFLOG --nflog-group 5
>     > -A INPUT -p esp -j NFLOG --nflog-group 5
>     > -A INPUT -j nixos-fw
>     > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -d 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A OUTPUT -s 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
>     > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
>     > -A OUTPUT -p ah -j NFLOG --nflog-group 5
>     > -A OUTPUT -p esp -j NFLOG --nflog-group 5
>     > -A nixos-fw -i lo -j nixos-fw-accept
>     > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
>     > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
>     > -A nixos-fw -j nixos-fw-log-refuse
>     > -A nixos-fw-accept -j ACCEPT
>     > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6
>     > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
>     > -A nixos-fw-log-refuse -j nixos-fw-refuse
>     > -A nixos-fw-refuse -j DROP
>     >
>     > [moon] $ iptables -S 
>     > -P INPUT ACCEPT
>     > -P FORWARD ACCEPT
>     > -P OUTPUT ACCEPT
>     > -N nixos-fw
>     > -N nixos-fw-accept
>     > -N nixos-fw-log-refuse
>     > -N nixos-fw-refuse
>     > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5
>     > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5
>     > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
>     > -A INPUT -p ah -j NFLOG --nflog-group 5
>     > -A INPUT -p esp -j NFLOG --nflog-group 5
>     > -A INPUT -j nixos-fw
>     > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT
>     > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -d 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -o eth1 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT
>     > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -d 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
>     > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
>     > -A OUTPUT -p ah -j NFLOG --nflog-group 5
>     > -A OUTPUT -p esp -j NFLOG --nflog-group 5
>     > -A nixos-fw -i lo -j nixos-fw-accept
>     > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
>     > -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept
>     > -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept
>     > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
>     > -A nixos-fw -j nixos-fw-log-refuse
>     > -A nixos-fw-accept -j ACCEPT
>     > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6
>     > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
>     > -A nixos-fw-log-refuse -j nixos-fw-refuse
>     > -A nixos-fw-refuse -j DROP
>     >
>     >
>     > On 9 September 2017 at 15:34, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze%2Bstrongswan-users-ml at thermi.consulting>>> wrote:
>     >
>     >     Hi,
>     >
>     >     Check your iptables rules.
>     >
>     >     Kind regards
>     >
>     >     Noel
>     >
>     >     On 09.09.2017 14 <tel:09.09.2017%2014> <tel:09.09.2017%2014>:06, Bas van Dijk wrote:
>     >     > Dear list,
>     >     >
>     >     > (I accidentally sent a previous message <https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA <https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA> <https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA <https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA>>> to the read-only strongswan-users at googlegroups.com <mailto:strongswan-users at googlegroups.com> <mailto:strongswan-users at googlegroups.com <mailto:strongswan-users at googlegroups.com>> <mailto:strongswan-users at googlegroups.com <mailto:strongswan-users at googlegroups.com> <mailto:strongswan-users at googlegroups.com <mailto:strongswan-users at googlegroups.com>>>. So let's try the real list.)
>     >     >
>     >     > I'm working on another NixOS strongswan test. This time I have two roadwarriors alice and carol that set up a connection to gateway moon. They request a virtual IP. The gateway moon assigns virtual IP addresses from a pool per roadwarrior containing a single IP address. Authentication is based on X.509 certificates. In order to test the tunnel alice and carol ping each other. The test configuration can be found in:
>     >     >
>     >     > https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix <https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix> <https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix <https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix>>
>     >     >
>     >     > The roadwarriors alice and carol can successfully establish a CHILD_SA with the gateway moon. The problem is that the roadwarriors can't ping eachother. 
>     >     >
>     >     > This is a tcpdump on alice while initiating the CHILD_SA and trying to ping carol:
>     >     >
>     >     > [alice] $ tcpdump -s 0 -n -i nflog:5
>     >     > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>     >     > listening on nflog:5, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes
>     >     > # swanctl -i --child alice
>     >     > 11:05:07.318185 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp: parent_sa ikev2_init[I]
>     >     > 11:05:07.318291 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp: parent_sa ikev2_init[R]
>     >     > 11:05:07.318296 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>     >     > 11:05:07.318308 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>     >     > 11:05:08.346181 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
>     >     > 11:05:08.346196 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
>     >     > # ping -c 1 10.0.0.2
>     >     > 11:05:15.898172 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>: ICMP echo request, id 1120, seq 1, length 64
>     >     > 11:05:15.898200 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>: ICMP echo request, id 1120, seq 1, length 64
>     >     > 11:05:15.898205 IP 192.168.1.1 > 192.168.1.3 <http://192.168.1.3>: ESP(spi=0xc6877d56,seq=0x1), length 136
>     >     >
>     >     > So it looks like the ping packet gets encapsulated and send to moon. This is the dump on moon:
>     >     >
>     >     > [moon] $ tcpdump -s 0 -n -i nflog:5
>     >     > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>     >     > listening on nflog:5, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes
>     >     > 11:05:07.170190 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp: parent_sa ikev2_init[I]
>     >     > 11:05:07.170218 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp: parent_sa ikev2_init[R]
>     >     > 11:05:07.170221 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>     >     > 11:05:07.170227 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
>     >     > 11:05:08.225827 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
>     >     > 11:05:08.225843 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
>     >     >
>     >     > 11:05:15.777787 IP 192.168.1.1 > 192.168.1.3 <http://192.168.1.3>: ESP(spi=0xc6877d56,seq=0x1), length 136
>     >     >
>     >     > So moon receives the encapsulated ping message from alice but it never reroutes it to carol. Is this caused by a bad routing configuration? These are the routes on alice and her auto-generated swanctl configuration:
>     >     >
>     >     > [alice] $ ip route list table 220
>     >     > 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24> via 192.168.1.3 dev eth1 proto static src 192.168.1.1 
>     >     >
>     >     > [alice] $ cat /etc/swanctl/swanctl.conf
>     >     > connections {
>     >     >   alice {
>     >     >     children {
>     >     >       alice {
>     >     >         remote_ts = 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24>
>     >     >         start_action = trap
>     >     >         updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
>     >     >       }
>     >     >     }
>     >     >     local-main {
>     >     >       auth = pubkey
>     >     >       certs = aliceCert.der
>     >     >       id = alice
>     >     >     }
>     >     >     remote-main {
>     >     >       auth = pubkey
>     >     >       id = moon
>     >     >     }
>     >     >     remote_addrs = moon
>     >     >     version = 2
>     >     >     vips = 0.0.0.0
>     >     >   }
>     >     > }
>     >     >
>     >     > Routing table 220 is empty on moon. Is that how it's supposed to be? This is its auto-generated swanctl configuration:
>     >     >
>     >     > [moon] $ cat /etc/swanctl/swanctl.conf 
>     >     > connections {
>     >     >   alice {
>     >     >     children {
>     >     >       alice {
>     >     >         local_ts = 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24>
>     >     >         updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
>     >     >       }
>     >     >     }
>     >     >     local-main {
>     >     >       auth = pubkey
>     >     >       certs = moonCert.der
>     >     >       id = moon
>     >     >     }
>     >     >     pools = alice
>     >     >     remote-main {
>     >     >       auth = pubkey
>     >     >       id = alice
>     >     >     }
>     >     >     version = 2
>     >     >   }
>     >     >   carol {
>     >     >     children {
>     >     >       carol {
>     >     >         local_ts = 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <http://10.0.0.0/24>
>     >     >         updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
>     >     >       }
>     >     >     }
>     >     >     local-main {
>     >     >       auth = pubkey
>     >     >       certs = moonCert.der
>     >     >       id = moon
>     >     >     }
>     >     >     pools = carol
>     >     >     remote-main {
>     >     >       auth = pubkey
>     >     >       id = carol
>     >     >     }
>     >     >     version = 2
>     >     >   }
>     >     > }
>     >     > pools {
>     >     >   alice {
>     >     >     addrs = 10.0.0.1
>     >     >   }
>     >     >   carol {
>     >     >     addrs = 10.0.0.2
>     >     >   }
>     >     > }
>     >     >
>     >     > I'm sure I'm not configuring something correctly. Can somebody point me in the right direction to get this test succeeding?
>     >     >
>     >     > Regards,
>     >     >
>     >     > Bas
>     >     >
>     >     >
>     >     >
>     >
>     >
>     >
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170909/42c10858/attachment-0001.sig>


More information about the Users mailing list