[strongSwan] Routing/iptables issue - Help with configuration
Steve Paul
steve.paul at comcast.net
Tue Jan 23 04:32:18 CET 2018
Greetings,
I've inherited a dual-homed CentoOS v6 box that I've been tasked with
adding a site-to-site to Azure VPN Gateway using strongswan.
The good news is- it works, but just one way. I'm fairly confident I'm
missing something with the iptables rules as the assets in Azure can
ping, ssh and use services on the local lan, but the assets and gateway
on the local site network with strongswan cannot.
Info on the set up:
Strongswan gateway: eth0 - 10.0.2.1, network 10.0.2.1/23, eth1 -
38.X.Y.97 / public interface
Azure gateway: virtual lans= 10.1.0.0/24, 10.2.0.0/24 - 40.X.Y.206
public interface
This server already has a site-to-site with OpenVPN to another office
(10.0.5.0/24), as well as a bunch of PC/Mac users using OpenVPN Access
Server. It also is being used as a network appliance with several
10.0.2.X assets using NAT on aliased interfaces on the 38.X.Y.0/24
network (public IP's).
strongswan is using ikev2 and the two connect. It was fairly trivial to
make the connection config. I also attached this config for anyone
interested or if I need something additional to make this work. Both
Azure and the strongswan logs show init and child sa's are happy and PSK
is working for both. And as I said, anything in the Azure network can
ping, ssh, ftp or http/https to anything in the 10.0.2.0/23 network.
The reverse is routing to the default on the gateway server to the
internet (it's default gateway is 38.X.Y.29), Example:
$ ping 10.1.0.4
PING 10.1.0.4 (10.1.0.4) 56(84) bytes of data.
From 38.X.Y.29 icmp_seq=1 Destination Net Unreachable
From 38.X.Y.29 icmp_seq=2 Destination Net Unreachable
From 38.X.Y.29 icmp_seq=3 Destination Net Unreachable
.... 38.X.Y.29 is the ISP router to the internet
The strongswan routes look "normal" to me, so it has to be the NAT
tables of the other stuff going on that is likely the culprit:
# ip route show table 220
10.2.0.0/24 via 38.X.Y.96 dev eth1 proto static src 10.0.2.1
10.1.0.0/24 via 38.X.Y.96 dev eth1 proto static src 10.0.2.1
I attached the default iptables which my bet is I'm missing something
there preventing the interface from routing from the strongswan policy.
It's greatly abridged as I spared (only) all the NAT hosts through to
public IP's. Also, keep in mind that OpenVPN Access server adds/removes
new entries as remote VPN users connect and drop but nothing out of the
ordinary as they have their own interfaces (as0tX devices).
What am I missing? Thanks in advance!
Warmest regards,
Steve Paul
-------------- next part --------------
config setup
charondebug="ike 4, enc 1, net 1, knl 1, cfg 1, chd 1"
# Add connections here.
conn azure
type=tunnel
closeaction=restart
dpdaction=restart
forceencaps=yes
ike=aes256-sha512-modp2048
esp=aes256-sha-modp2048
reauth=no
keyexchange=ikev2
mobike=no
ikelifetime=28800s
keylife=3600s
keyingtries=%forever
authby=secret
# "left"
left=38.X.Y.97
leftsubnet=10.0.2.0/23
# "right"
right=40.X.Y.206
rightsubnet=10.1.0.0/24,10.2.0.0/24
auto=start
-------------- next part --------------
##########################################################################
# NAT section
##########################################################################
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#-------------------------------------------------------------------------
# Masquerade all traffic output on public network
#-------------------------------------------------------------------------
-A POSTROUTING -o eth1 -j MASQUERADE
#
#-------------------------------------------------------------------------
# DNS server, LAN IP: 10.0.2.23, Pub IP: 38.X.Y.102
# Ports: 25,53,80,143,443,444,587,993
#-------------------------------------------------------------------------
-A PREROUTING -d 38.X.Y.102 -p tcp -m multiport --dports 25,53,80,143,443,444,587,993 -j DNAT --to 10.0.2.23
-A PREROUTING -d 38.X.Y.102 -p udp -m multiport --dports 25,53,80,143,443,444,587,993 -j DNAT --to 10.0.2.23
-I POSTROUTING -s 10.0.2.23 -o eth1 -j SNAT --to-source 38.X.Y.102
#
#-------------------------------------------------------------------------
# Antivirus Server, LAN IP: 10.0.2.50, Pub IP: 38.X.Y.110
# Ports: 2221, 2222
#-------------------------------------------------------------------------
-A PREROUTING -d 38.X.Y.110 -p tcp -m multiport --dports 2221:2225 -j DNAT --to 10.0.2.50
-I POSTROUTING -s 10.0.2.50 -o eth1 -j SNAT --to-source 38.X.Y.110
#
#-------------------------------------------------------------------------
# Web Server - LAN IP: 10.0.2.76, Pub IP: 38.X.Y.123
#-------------------------------------------------------------------------
-A PREROUTING -d 38.X.Y.123 -p tcp -m multiport --dports 80,443,8080 -j DNAT --to 10.0.2.76
-I POSTROUTING -s 10.0.2.76 -o eth1 -j SNAT --to-source 38.X.Y.123
#
#-------------------------------------------------------------------------
# More follow here, but you get the gist
#-------------------------------------------------------------------------
#
#-------------------------------------------------------------------------
COMMIT
#-------------------------------------------------------------------------
##########################################################################
# FILTER section
##########################################################################
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
#-------------------------------------------------------------------------
# Allowances for services on the local server
#-------------------------------------------------------------------------
# SSH (ADDED 10.1.0.0/24 so assets in Azure can SSH to gateway server)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.1.0.0/24 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.2.0.0/24 -j ACCEPT
# http/https on the local server
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# OpenVPN Access Server
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
# OpenVPN (site-to-site)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1195 -s 36.ZZ.ZZ.ZZ/32 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1195 -s 36.ZZ.ZZ.ZZ/32 -j ACCEPT
# IPSec (site-to-site) for Azure w/ strongswan
-A INPUT -m state --state NEW -m udp -p udp --dport 4500 -s 40.X.Y.206/32 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 500 -s 40.X.Y.206/32 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 50 -s 40.X.Y.206/32 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 51 -s 40.X.Y.206/32 -j ACCEPT
#-------------------------------------------------------------------------
#-------------------------------------------------------------------------
#-------------------------------------------------------------------------
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
#
#-------------------------------------------------------------------------
#-------------------------------------------------------------------------
#-------------------------------------------------------------------------
#
#-------------------------------------------------------------------------
# DNS server - Pub IP: 38.X.Y.102
# Ports 25,53,80,143,443,444,587,993
#-------------------------------------------------------------------------
-A FORWARD -p tcp -m multiport -d 10.0.2.23 --dports 25,53,80,143,443,444,587,993 -j ACCEPT
-A FORWARD -p udp -m multiport -d 10.0.2.23 --dports 25,53,80,143,443,444,587,993 -j ACCEPT
#
#-------------------------------------------------------------------------
# Antivirus - LAN IP: 10.0.2.50, Pub IP: 38.X.Y.110
#-------------------------------------------------------------------------
-A FORWARD -p tcp -m multiport -d 10.0.2.50 --dports 2221:2225 -j ACCEPT
#
#-------------------------------------------------------------------------
# Web Server- LAN IP: 10.0.2.76 Pub IP: 38.X.Y.123
#-------------------------------------------------------------------------
-A FORWARD -p tcp -m multiport -d 10.0.2.76 --dports 80,443,8080 -j ACCEPT
#
#
#-------------------------------------------------------------------------
# ICMP security
#-------------------------------------------------------------------------
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
More information about the Users
mailing list