[strongSwan] Roadwarriors can't ping eachother
Bas van Dijk
v.dijk.bas at gmail.com
Sat Sep 9 18:32:15 CEST 2017
On 9 September 2017 at 16:34, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Well, you need to accept ESP packets obviously, if you don't use UDP
> encapsulation.
>
Got it. I enabled it.
> Other than that, make sure ip forwarding is enabled globally on moon and
> it is enabled for the involved interfaces.
>
IP forwarding is enabled globally on moon and on eth1 which is connected to
the same vlan that alice and carol are connected to:
[moon] $ sysctl -A | grep -E "ipv4.*(\.forwarding|ip_forward)"
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
On top of that, make sure the iptables rules in *filter FORWARD permit the
> traffic from Alice to Bob.
>
These rules on moon that were automatically added by strongswan should
permit that traffic right?
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.2 10.0.0.0/24 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 10.0.0.0/24 10.0.0.2 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 10.0.0.1 10.0.0.0/24 policy match
dir in pol ipsec reqid 1 proto esp
ACCEPT all -- 10.0.0.0/24 10.0.0.1 policy match
dir out pol ipsec reqid 1 proto esp
> Right now, you don't accept ESP packets, but it seems your tunnels use
> that. Check where the net unreachable comes from.
>
After enabling ESP traffic and doing a ping from alice to 10.0.0.2 I see
the following tcpdump on moon:
16:07:30.329243 IP 192.168.1.1 > 192.168.1.3: ESP(spi=0xc3ac1de0,seq=0x2),
length 136
16:07:30.329287 IP 192.168.1.1 > 10.0.0.2: ICMP echo request, id 1072, seq
1, length 64
I understand the first packet but I'm surprised by the source address of
the second packet. Shouldn't the source be 10.0.0.1?
If I compare routing table 220 of alice:
[alice] $ ip route list table 220
10.0.0.0/24 via 192.168.1.3 dev eth1 proto static src 192.168.1.1
with routing table 220 of my workstation (which is also using strongswan to
connect to our company VPN) I see that on my workstation the src is set to
the VPN assigned IP address and not the public IP address like on alice.
I'm surprised by this difference. Could this explain the routing failure?
I'm clearly not a networking expert so thanks a lot with your help so far.
Bas
Kind regards
>
> Noel
>
> On 09.09.2017 16:16, Bas van Dijk wrote:
> > (I removed the NFLOG rules)
> >
> > [alice] $ iptables-save -c
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017
> > *nat
> > :PREROUTING ACCEPT [4:256]
> > :INPUT ACCEPT [0:0]
> > :OUTPUT ACCEPT [4:2672]
> > :POSTROUTING ACCEPT [4:2672]
> > COMMIT
> > # Completed on Sat Sep 9 14:02:40 2017
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017
> > *raw
> > :PREROUTING ACCEPT [18:6158]
> > :OUTPUT ACCEPT [16:8534]
> > :nixos-fw-rpfilter - [0:0]
> > [18:6158] -A PREROUTING -j nixos-fw-rpfilter
> > [18:6158] -A nixos-fw-rpfilter -m rpfilter -j RETURN
> > [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 <http://0.0.0.0/32> -d
> 255.255.255.255/32 <http://255.255.255.255/32> -p udp -m udp --sport 68
> --dport 67 -j RETURN
> > [0:0] -A nixos-fw-rpfilter -j DROP
> > COMMIT
> > # Completed on Sat Sep 9 14:02:40 2017
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :nixos-fw - [0:0]
> > :nixos-fw-accept - [0:0]
> > :nixos-fw-log-refuse - [0:0]
> > :nixos-fw-refuse - [0:0]
> > [0:0] -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <
> http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [18:6158] -A INPUT -j nixos-fw
> > [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <
> http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [0:0] -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [0:0] -A OUTPUT -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [2:1152] -A nixos-fw -i lo -j nixos-fw-accept
> > [10:4622] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
> nixos-fw-accept
> > [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > [6:384] -A nixos-fw -j nixos-fw-log-refuse
> > [12:5774] -A nixos-fw-accept -j ACCEPT
> > [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> > [6:384] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
> nixos-fw-refuse
> > [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
> > [6:384] -A nixos-fw-refuse -j DROP
> > COMMIT
> > # Completed on Sat Sep 9 14:02:40 2017
> >
> > [alice] $ sysctl -A | grep rp_filter
> > net.ipv4.conf.all.arp_filter = 0
> > net.ipv4.conf.all.rp_filter = 0
> > net.ipv4.conf.default.arp_filter = 0
> > net.ipv4.conf.default.rp_filter = 0
> > net.ipv4.conf.eth0.arp_filter = 0
> > net.ipv4.conf.eth0.rp_filter = 0
> > net.ipv4.conf.eth1.arp_filter = 0
> > net.ipv4.conf.eth1.rp_filter = 0
> > net.ipv4.conf.lo.arp_filter = 0
> > net.ipv4.conf.lo.rp_filter = 0
> >
> > [carol] $ iptables-save -c
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017
> > *nat
> > :PREROUTING ACCEPT [2:128]
> > :INPUT ACCEPT [0:0]
> > :OUTPUT ACCEPT [3:2002]
> > :POSTROUTING ACCEPT [3:2002]
> > COMMIT
> > # Completed on Sat Sep 9 14:02:56 2017
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017
> > *raw
> > :PREROUTING ACCEPT [7:1983]
> > :OUTPUT ACCEPT [5:2374]
> > :nixos-fw-rpfilter - [0:0]
> > [7:1983] -A PREROUTING -j nixos-fw-rpfilter
> > [7:1983] -A nixos-fw-rpfilter -m rpfilter -j RETURN
> > [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 <http://0.0.0.0/32> -d
> 255.255.255.255/32 <http://255.255.255.255/32> -p udp -m udp --sport 68
> --dport 67 -j RETURN
> > [0:0] -A nixos-fw-rpfilter -j DROP
> > COMMIT
> > # Completed on Sat Sep 9 14:02:56 2017
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :nixos-fw - [0:0]
> > :nixos-fw-accept - [0:0]
> > :nixos-fw-log-refuse - [0:0]
> > :nixos-fw-refuse - [0:0]
> > [0:0] -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <
> http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [7:1983] -A INPUT -j nixos-fw
> > [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <
> http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [0:0] -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [0:0] -A OUTPUT -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > [0:0] -A nixos-fw -i lo -j nixos-fw-accept
> > [3:1727] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
> nixos-fw-accept
> > [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > [4:256] -A nixos-fw -j nixos-fw-log-refuse
> > [3:1727] -A nixos-fw-accept -j ACCEPT
> > [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> > [4:256] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
> nixos-fw-refuse
> > [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
> > [4:256] -A nixos-fw-refuse -j DROP
> > COMMIT
> > # Completed on Sat Sep 9 14:02:56 2017
> >
> > [carol] $ sysctl -A | grep rp_filter
> > net.ipv4.conf.all.arp_filter = 0
> > net.ipv4.conf.all.rp_filter = 0
> > net.ipv4.conf.default.arp_filter = 0
> > net.ipv4.conf.default.rp_filter = 0
> > net.ipv4.conf.eth0.arp_filter = 0
> > net.ipv4.conf.eth0.rp_filter = 0
> > net.ipv4.conf.eth1.arp_filter = 0
> > net.ipv4.conf.eth1.rp_filter = 0
> > net.ipv4.conf.lo.arp_filter = 0
> > net.ipv4.conf.lo.rp_filter = 0
> >
> > [moon] $ iptables-save -c
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017
> > *nat
> > :PREROUTING ACCEPT [5:4546]
> > :INPUT ACCEPT [5:4546]
> > :OUTPUT ACCEPT [1:64]
> > :POSTROUTING ACCEPT [1:64]
> > COMMIT
> > # Completed on Sat Sep 9 14:02:37 2017
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017
> > *raw
> > :PREROUTING ACCEPT [15:8288]
> > :OUTPUT ACCEPT [15:6477]
> > :nixos-fw-rpfilter - [0:0]
> > [15:8288] -A PREROUTING -j nixos-fw-rpfilter
> > [15:8288] -A nixos-fw-rpfilter -m rpfilter -j RETURN
> > [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 <http://0.0.0.0/32> -d
> 255.255.255.255/32 <http://255.255.255.255/32> -p udp -m udp --sport 68
> --dport 67 -j RETURN
> > [0:0] -A nixos-fw-rpfilter -j DROP
> > COMMIT
> > # Completed on Sat Sep 9 14:02:37 2017
> > # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [2:1432]
> > :nixos-fw - [0:0]
> > :nixos-fw-accept - [0:0]
> > :nixos-fw-log-refuse - [0:0]
> > :nixos-fw-refuse - [0:0]
> > [15:8288] -A INPUT -j nixos-fw
> > [0:0] -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 3
> --proto esp -j ACCEPT
> > [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <
> http://10.0.0.2/32> -o eth1 -m policy --dir out --pol ipsec --reqid 3
> --proto esp -j ACCEPT
> > [0:0] -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 2
> --proto esp -j ACCEPT
> > [0:0] -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <
> http://10.0.0.1/32> -o eth1 -m policy --dir out --pol ipsec --reqid 2
> --proto esp -j ACCEPT
> > [0:0] -A nixos-fw -i lo -j nixos-fw-accept
> > [5:2328] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
> nixos-fw-accept
> > [4:3152] -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept
> > [4:2680] -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept
> > [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > [2:128] -A nixos-fw -j nixos-fw-log-refuse
> > [13:8160] -A nixos-fw-accept -j ACCEPT
> > [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> > [2:128] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
> nixos-fw-refuse
> > [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
> > [2:128] -A nixos-fw-refuse -j DROP
> > COMMIT
> > # Completed on Sat Sep 9 14:02:37 2017
> >
> > [moon] $ sysctl -A | grep rp_filter
> > net.ipv4.conf.all.arp_filter = 0
> > net.ipv4.conf.all.rp_filter = 0
> > net.ipv4.conf.default.arp_filter = 0
> > net.ipv4.conf.default.rp_filter = 0
> > net.ipv4.conf.eth0.arp_filter = 0
> > net.ipv4.conf.eth0.rp_filter = 0
> > net.ipv4.conf.eth1.arp_filter = 0
> > net.ipv4.conf.eth1.rp_filter = 0
> > net.ipv4.conf.lo.arp_filter = 0
> > net.ipv4.conf.lo.rp_filter = 0
> >
> > BTW note that if I execute the following on all hosts:
> >
> > $ iptables --insert INPUT --protocol ESP --jump ACCEPT
> >
> > pinging from alice to carol will actually give a "Destination Net
> Unreachable" error instead of not giving any output:
> >
> > [alice] $ ping -c 10.0.0.2
> > PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
> > From 192.168.1.3 icmp_seq=1 Destination Net Unreachable
> >
> > --- 10.0.0.2 ping statistics ---
> > 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
> >
> >
> > On 9 September 2017 at 15:57, Noel Kuntze <noel.kuntze+strongswan-users-
> ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.
> consulting>> wrote:
> >
> > Hi Bas,
> >
> > Please provide the outputs of `iptables-save -c` on all hosts
> > and the output of `sysctl -A | grep rp_filter`. `iptables -S` is not
> useful.
> >
> > Kind regards
> >
> > Noel
> >
> > On 09.09.2017 15 <tel:09.09.2017%2015>:50, Bas van Dijk wrote:
> > > Hi Noel,
> > >
> > > These are the firewall rules of all hosts after establishing the
> tunnels (all the NFLOG rules will be removed eventually, they're currently
> used for debugging):
> > >
> > > [alice] $ iptables -S
> > > -P INPUT ACCEPT
> > > -P FORWARD ACCEPT
> > > -P OUTPUT ACCEPT
> > > -N nixos-fw
> > > -N nixos-fw-accept
> > > -N nixos-fw-log-refuse
> > > -N nixos-fw-refuse
> > > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> -d 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -i eth1 -m
> policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol
> ipsec -j NFLOG --nflog-group 5
> > > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol
> ipsec -j NFLOG --nflog-group 5
> > > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG
> --nflog-group 5
> > > -A INPUT -p ah -j NFLOG --nflog-group 5
> > > -A INPUT -p esp -j NFLOG --nflog-group 5
> > > -A INPUT -j nixos-fw
> > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> -d 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -i eth1 -m
> policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32>
> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m
> policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A OUTPUT -s 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32>
> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m
> policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
> > > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG
> --nflog-group 5
> > > -A OUTPUT -p ah -j NFLOG --nflog-group 5
> > > -A OUTPUT -p esp -j NFLOG --nflog-group 5
> > > -A nixos-fw -i lo -j nixos-fw-accept
> > > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
> nixos-fw-accept
> > > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > > -A nixos-fw -j nixos-fw-log-refuse
> > > -A nixos-fw-accept -j ACCEPT
> > > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> > > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
> nixos-fw-refuse
> > > -A nixos-fw-log-refuse -j nixos-fw-refuse
> > > -A nixos-fw-refuse -j DROP
> > >
> > > [carol] $ iptables -S
> > > -P INPUT ACCEPT
> > > -P FORWARD ACCEPT
> > > -P OUTPUT ACCEPT
> > > -N nixos-fw
> > > -N nixos-fw-accept
> > > -N nixos-fw-log-refuse
> > > -N nixos-fw-refuse
> > > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> -d 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -i eth1 -m
> policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol
> ipsec -j NFLOG --nflog-group 5
> > > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol
> ipsec -j NFLOG --nflog-group 5
> > > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG
> --nflog-group 5
> > > -A INPUT -p ah -j NFLOG --nflog-group 5
> > > -A INPUT -p esp -j NFLOG --nflog-group 5
> > > -A INPUT -j nixos-fw
> > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> -d 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -i eth1 -m
> policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32>
> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m
> policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A OUTPUT -s 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32>
> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -o eth1 -m
> policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
> > > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG
> --nflog-group 5
> > > -A OUTPUT -p ah -j NFLOG --nflog-group 5
> > > -A OUTPUT -p esp -j NFLOG --nflog-group 5
> > > -A nixos-fw -i lo -j nixos-fw-accept
> > > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
> nixos-fw-accept
> > > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > > -A nixos-fw -j nixos-fw-log-refuse
> > > -A nixos-fw-accept -j ACCEPT
> > > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> > > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
> nixos-fw-refuse
> > > -A nixos-fw-log-refuse -j nixos-fw-refuse
> > > -A nixos-fw-refuse -j DROP
> > >
> > > [moon] $ iptables -S
> > > -P INPUT ACCEPT
> > > -P FORWARD ACCEPT
> > > -P OUTPUT ACCEPT
> > > -N nixos-fw
> > > -N nixos-fw-accept
> > > -N nixos-fw-log-refuse
> > > -N nixos-fw-refuse
> > > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol
> ipsec -j NFLOG --nflog-group 5
> > > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol
> ipsec -j NFLOG --nflog-group 5
> > > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG
> --nflog-group 5
> > > -A INPUT -p ah -j NFLOG --nflog-group 5
> > > -A INPUT -p esp -j NFLOG --nflog-group 5
> > > -A INPUT -j nixos-fw
> > > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32>
> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -i eth1 -m
> policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT
> > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> -d 10.0.0.2/32 <http://10.0.0.2/32> <http://10.0.0.2/32> -o eth1 -m
> policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT
> > > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32>
> -d 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> -i eth1 -m
> policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24>
> -d 10.0.0.1/32 <http://10.0.0.1/32> <http://10.0.0.1/32> -o eth1 -m
> policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
> > > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG
> --nflog-group 5
> > > -A OUTPUT -p ah -j NFLOG --nflog-group 5
> > > -A OUTPUT -p esp -j NFLOG --nflog-group 5
> > > -A nixos-fw -i lo -j nixos-fw-accept
> > > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
> nixos-fw-accept
> > > -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept
> > > -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept
> > > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > > -A nixos-fw -j nixos-fw-log-refuse
> > > -A nixos-fw-accept -j ACCEPT
> > > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK
> SYN -j LOG --log-prefix "rejected connection: " --log-level 6
> > > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
> nixos-fw-refuse
> > > -A nixos-fw-log-refuse -j nixos-fw-refuse
> > > -A nixos-fw-refuse -j DROP
> > >
> > >
> > > On 9 September 2017 at 15:34, Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+
> strongswan-users-ml at thermi.consulting <mailto:noel.kuntze%
> 2Bstrongswan-users-ml at thermi.consulting>>> wrote:
> > >
> > > Hi,
> > >
> > > Check your iptables rules.
> > >
> > > Kind regards
> > >
> > > Noel
> > >
> > > On 09.09.2017 14 <tel:09.09.2017%2014>
> <tel:09.09.2017%2014>:06, Bas van Dijk wrote:
> > > > Dear list,
> > > >
> > > > (I accidentally sent a previous message <
> https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA <
> https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA> <
> https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA <
> https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA>>>
> to the read-only strongswan-users at googlegroups.com <mailto:
> strongswan-users at googlegroups.com> <mailto:strongswan-users@
> googlegroups.com <mailto:strongswan-users at googlegroups.com>> <mailto:
> strongswan-users at googlegroups.com <mailto:strongswan-users@
> googlegroups.com> <mailto:strongswan-users at googlegroups.com <mailto:
> strongswan-users at googlegroups.com>>>. So let's try the real list.)
> > > >
> > > > I'm working on another NixOS strongswan test. This time I
> have two roadwarriors alice and carol that set up a connection to gateway
> moon. They request a virtual IP. The gateway moon assigns virtual IP
> addresses from a pool per roadwarrior containing a single IP address.
> Authentication is based on X.509 certificates. In order to test the tunnel
> alice and carol ping each other. The test configuration can be found in:
> > > >
> > > > https://github.com/LumiGuide/nixpkgs/blob/strongswan-
> swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix <
> https://github.com/LumiGuide/nixpkgs/blob/strongswan-
> swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix> <
> https://github.com/LumiGuide/nixpkgs/blob/strongswan-
> swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix <
> https://github.com/LumiGuide/nixpkgs/blob/strongswan-
> swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix>>
> > > >
> > > > The roadwarriors alice and carol can successfully establish
> a CHILD_SA with the gateway moon. The problem is that the roadwarriors
> can't ping eachother.
> > > >
> > > > This is a tcpdump on alice while initiating the CHILD_SA and
> trying to ping carol:
> > > >
> > > > [alice] $ tcpdump -s 0 -n -i nflog:5
> > > > tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> > > > listening on nflog:5, link-type NFLOG (Linux netfilter log
> messages), capture size 262144 bytes
> > > > # swanctl -i --child alice
> > > > 11:05:07.318185 IP 192.168.1.1.500 > 192.168.1.3.500:
> isakmp: parent_sa ikev2_init[I]
> > > > 11:05:07.318291 IP 192.168.1.3.500 > 192.168.1.1.500:
> isakmp: parent_sa ikev2_init[R]
> > > > 11:05:07.318296 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[I]
> > > > 11:05:07.318308 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[I]
> > > > 11:05:08.346181 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[R]
> > > > 11:05:08.346196 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[R]
> > > > # ping -c 1 10.0.0.2
> > > > 11:05:15.898172 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>:
> ICMP echo request, id 1120, seq 1, length 64
> > > > 11:05:15.898200 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>:
> ICMP echo request, id 1120, seq 1, length 64
> > > > 11:05:15.898205 IP 192.168.1.1 > 192.168.1.3 <
> http://192.168.1.3>: ESP(spi=0xc6877d56,seq=0x1), length 136
> > > >
> > > > So it looks like the ping packet gets encapsulated and send
> to moon. This is the dump on moon:
> > > >
> > > > [moon] $ tcpdump -s 0 -n -i nflog:5
> > > > tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> > > > listening on nflog:5, link-type NFLOG (Linux netfilter log
> messages), capture size 262144 bytes
> > > > 11:05:07.170190 IP 192.168.1.1.500 > 192.168.1.3.500:
> isakmp: parent_sa ikev2_init[I]
> > > > 11:05:07.170218 IP 192.168.1.3.500 > 192.168.1.1.500:
> isakmp: parent_sa ikev2_init[R]
> > > > 11:05:07.170221 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[I]
> > > > 11:05:07.170227 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[I]
> > > > 11:05:08.225827 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[R]
> > > > 11:05:08.225843 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa ikev2_auth[R]
> > > >
> > > > 11:05:15.777787 IP 192.168.1.1 > 192.168.1.3 <
> http://192.168.1.3>: ESP(spi=0xc6877d56,seq=0x1), length 136
> > > >
> > > > So moon receives the encapsulated ping message from alice
> but it never reroutes it to carol. Is this caused by a bad routing
> configuration? These are the routes on alice and her auto-generated swanctl
> configuration:
> > > >
> > > > [alice] $ ip route list table 220
> > > > 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> <
> http://10.0.0.0/24> via 192.168.1.3 dev eth1 proto static src 192.168.1.1
> > > >
> > > > [alice] $ cat /etc/swanctl/swanctl.conf
> > > > connections {
> > > > alice {
> > > > children {
> > > > alice {
> > > > remote_ts = 10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24>
> > > > start_action = trap
> > > > updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w
> 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
> > > > }
> > > > }
> > > > local-main {
> > > > auth = pubkey
> > > > certs = aliceCert.der
> > > > id = alice
> > > > }
> > > > remote-main {
> > > > auth = pubkey
> > > > id = moon
> > > > }
> > > > remote_addrs = moon
> > > > version = 2
> > > > vips = 0.0.0.0
> > > > }
> > > > }
> > > >
> > > > Routing table 220 is empty on moon. Is that how it's
> supposed to be? This is its auto-generated swanctl configuration:
> > > >
> > > > [moon] $ cat /etc/swanctl/swanctl.conf
> > > > connections {
> > > > alice {
> > > > children {
> > > > alice {
> > > > local_ts = 10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24>
> > > > updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w
> 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
> > > > }
> > > > }
> > > > local-main {
> > > > auth = pubkey
> > > > certs = moonCert.der
> > > > id = moon
> > > > }
> > > > pools = alice
> > > > remote-main {
> > > > auth = pubkey
> > > > id = alice
> > > > }
> > > > version = 2
> > > > }
> > > > carol {
> > > > children {
> > > > carol {
> > > > local_ts = 10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24> <http://10.0.0.0/24>
> > > > updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w
> 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
> > > > }
> > > > }
> > > > local-main {
> > > > auth = pubkey
> > > > certs = moonCert.der
> > > > id = moon
> > > > }
> > > > pools = carol
> > > > remote-main {
> > > > auth = pubkey
> > > > id = carol
> > > > }
> > > > version = 2
> > > > }
> > > > }
> > > > pools {
> > > > alice {
> > > > addrs = 10.0.0.1
> > > > }
> > > > carol {
> > > > addrs = 10.0.0.2
> > > > }
> > > > }
> > > >
> > > > I'm sure I'm not configuring something correctly. Can
> somebody point me in the right direction to get this test succeeding?
> > > >
> > > > Regards,
> > > >
> > > > Bas
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170909/03d54db1/attachment-0001.html>
More information about the Users
mailing list