[strongSwan] Separate firewall/router and VPN systems

Robert Green robert.green at wegolook.com
Fri Aug 24 15:17:42 CEST 2018 

Accually solved this.  I am fairly certain I was unclear about one
requirement I had.  I wanted all of the default non local destination
traffic to flow through the primary router.  The main reason is the primary
router has an IDS and traffic tracking.  This is primarly due to business
policies.

First issue was local traffic.  The main problem there was the primary
router needed to have a static route setup so it knows where to send the
traffic for the VPN IPs.

Next was outbound traffic not destined for the local network.  I could add
the NAT rules in the firewall on the VPN server but that would route the
traffic out it's external interface which is not the desired route in this
case.

I had to add a conditional route for the VPN:
ip rule add from 192.168.18.0/24 lookup VPN
ip route add default via 192.168.0.1 dev enp2s0 table VPN

This does work and gives the desired traffic routing.  This is a bit more
of a round about way of doing it but we have security reasons for doing so.

Thank you all for the responses.


On Fri, Aug 24, 2018 at 3:13 AM, Christian Salway <
christian.salway at naimuri.com> wrote:

> Robert,
>
> Make sure you have ip_forward turned on
>
> net.ipv4.ip_forward = 1
>
>
> and masquarade the IP address
>
> /sbin/iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE
>
> then you need to make sure that anything that goes down the internal
> interface, comes back that way..
>
>
> See if you can make sense of the following which is my config.  eth0 is
> public facing, eth1 is internal facing
>
> cat <<EOF >> /etc/network/interfaces.d/50-cloud-init.cfg
> auto eth0
> iface eth0 inet dhcp
>
> auto eth1
> iface eth1 inet dhcp
>     metric 100
> EOF
> ifup eth1
>
>
> SN1="$(ip r | awk '/eth1/ { print $1 }' | tail -n 1)"  # internal subnet
> IP1="$(ip r | awk '/eth1/ { print $NF }' | tail -n 1)"  # internal ip
> GW1="$(echo ${SN1} | cut -d'/' -f1 | cut -d'.' -f1-3).1"  # internal gateway
>
> echo 200 eth1 >> /etc/iproute2/rt_tables
>
> cat <<EOF >> /etc/network/interfaces.d/50-cloud-init.cfg
>     post-up /sbin/ip rule add from ${IP1} table eth1
>     pre-down /sbin/ip rule delete from ${IP1} table eth1
>     post-up /sbin/ip route add default via ${GW1} table eth1
>     pre-down /sbin/ip route delete default via ${GW1} table eth1
>     post-up /sbin/ip route add ${REMOTECIDR} via ${GW1}
>     pre-down /sbin/ip route delete ${REMOTECIDR} via ${GW1}
>     post-up /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>     pre-down /sbin/iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
> EOF
> ifdown eth1; ifup eth1
>
> cat <<EOF > /etc/sysctl.d/60-strongswan.conf
> net.ipv4.ip_forward = 1
> EOF
> sysctl -p /etc/sysctl.d/60-strongswan.conf
>
>
>
>
>
>
> Kind regards,
>
> *Christian Salway*
> IT Consultant - *Naimuri*
>
> T: +44 7463 331432
> E: christian.salway at naimuri.com
> A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW
>
> On 20 Aug 2018, at 22:23, Robert Green <robert.green at wegolook.com> wrote:
>
> Hello All,
>
> I may be doing something that isn't going to work easily.  I am trying to
> setup strongswan on a separate system than is on my firewall/router.  This
> separate system is also directly connected to the public internet. This is
> to support a road warrior setup.
>
> I currently have the windows 10 client connecting via certificates.
> However when I connect the client I can not get traffic beyond the VPN
> box.  I can ping the internal interface but I can not ping into the network
> or external clients.
>
> I see the routes in the table 220 but they don't look right to me. I do
> have the firewall rules turned on the config and those look to be
> populating correctly.
>
> /etc/ipsec.conf
>  config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>         charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> conn remote-users
>         fragmentation=yes
>         ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>         esp=aes256-sha1,3des-sha1!
>         left=%any
>         #leftsubnet=0.0.0.0/0
>         leftsubnet=192.168.0.0/16
>         leftcert=server_cert.pem
>         leftfirewall=yes
>         right=%any
>         rightdns=1.1.1.1, 8.8.8.8
>         rightsourceip=192.168.18.2-192.168.18.254
>         keyexchange=ikev2
>         #auto=add
>         auto=route
>
> ip route show table 220
>
> 192.168.18.2 via 12.12.12.1 dev enp0s25 proto static src 192.168.1.198
>
> My interfaces are:
> enp0s25 -> 12.12.12.1  (public interface)
> enp3s0  -> 192.168.1.198 (internal interface)
>
> Primary gateway 192.168.0.1  (netmask /23)
>
> This all has been sanitized. I have been beating my head against the wall
> on this one.  I know this is a routing issue but not sure how to properly
> fix it.
>
> Thank you,
> --
> Robert Green
>
>
>


-- 
Robert Green
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180824/01a773a9/attachment.html>

More information about the Users mailing list