[strongSwan] StrongSwan - can't route traffic over it

Brenden info at 5eg.net
Wed Mar 7 05:37:54 CET 2018


Hi All,

I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS.

IPs chanaged for privacy:

My server IP 110.0.0.110
My subnet is 110.0.0.0/25
Internal IP: 192.168.50.214
Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec)

The primary connection is currently not configured (its still running on
our hardware FW) but the secondary one has been re-configured with the
other peer and connection successfully establishes.

They can see our successful connection is up but can't see any traffic
being sent from our side.

I am running HAPROXY on my strongswans server which forwards traffic from
192.168.50.214:3333 to 10.4.34.70:3333 (via IPSEC tunnel). I can't ping,
telnet, curl or do anything against this host.

I have this working in a legacy (undocumented environment on a Fortigate
FW), but that's being replaced.

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic,
x86_64):
  uptime: 51 minutes, since Mar 07 13:21:13 2018
  malloc: sbrk 2588672, mmap 0, used 588944, free 1999728
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 7
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  110.0.0.110
  192.168.50.214
Connections:
     ipsec-pri:  110.0.0.110...1.2.3.111  IKEv1, dpddelay=30s
     ipsec-pri:   local:  uses pre-shared key authentication
     ipsec-pri:   remote: uses pre-shared key authentication
     ipsec-pri:   child:  110.0.0.0/25 === 10.5.35.0/24 TUNNEL,
dpdaction=restart
     ipsec-sec:  110.0.0.110...1.2.3.112  IKEv1, dpddelay=30s
     ipsec-sec:   local:  [110.0.0.110] uses pre-shared key authentication
     ipsec-sec:   remote: uses pre-shared key authentication
     ipsec-sec:   child:  110.0.0.0/25 === 10.4.34.70/32 10.4.34.71/32
TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     ipsec-sec[2]: ESTABLISHED 51 minutes ago,
110.0.0.110[110.0.0.110]...1.2.3.112[1.2.3.112]
     ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r,
pre-shared key reauthentication in 22 hours
     ipsec-sec[2]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     ipsec-sec{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i
15dd64ce_o
     ipsec-sec{2}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169
pkts, 1s ago), rekeying in 46 minutes
     ipsec-sec{2}:   110.0.0.0/25 === 10.4.34.70/32


/etc/ipsec.conf file:
##################################
conn ipsec-pri
        ikelifetime=86400s
        authby=secret
        auto=start
        keyexchange=ikev1
        type=tunnel
        left=110.0.0.110
        leftid=%any
        leftsubnet=110.0.0.0/25
        right=1.2.3.111
        rightid=%any
        rightsubnet=10.5.35.0/24
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
        dpdaction=restart


conn ipsec-sec
        ikelifetime=86400s
        authby=secret
        auto=start
        keyexchange=ikev1
        type=tunnel
        left=110.0.0.110
        leftid=%any
        leftsubnet=110.0.0.0/25
        right==1.2.3.112
        rightid=%any
        rightsubnet=10.4.34.70/32,10.4.34.71/32
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
        dpdaction=restart
##################################

~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I've enabled forwarding in /etc/sysctl.conf
net.ipv4.ip_forward=1


I've been back and forth on this for a few months but just really stuck.

Any ideas on where i'm going wrong? I hope I've included enough info to
get pointed in the right direction.



More information about the Users mailing list