[strongSwan] StrongSwan - can't route traffic over it
Brenden
info at 5eg.net
Wed Mar 7 05:37:54 CET 2018
Hi All,
I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS.
IPs chanaged for privacy:
My server IP 110.0.0.110
My subnet is 110.0.0.0/25
Internal IP: 192.168.50.214
Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec)
The primary connection is currently not configured (its still running on
our hardware FW) but the secondary one has been re-configured with the
other peer and connection successfully establishes.
They can see our successful connection is up but can't see any traffic
being sent from our side.
I am running HAPROXY on my strongswans server which forwards traffic from
192.168.50.214:3333 to 10.4.34.70:3333 (via IPSEC tunnel). I can't ping,
telnet, curl or do anything against this host.
I have this working in a legacy (undocumented environment on a Fortigate
FW), but that's being replaced.
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic,
x86_64):
uptime: 51 minutes, since Mar 07 13:21:13 2018
malloc: sbrk 2588672, mmap 0, used 588944, free 1999728
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 7
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
110.0.0.110
192.168.50.214
Connections:
ipsec-pri: 110.0.0.110...1.2.3.111 IKEv1, dpddelay=30s
ipsec-pri: local: uses pre-shared key authentication
ipsec-pri: remote: uses pre-shared key authentication
ipsec-pri: child: 110.0.0.0/25 === 10.5.35.0/24 TUNNEL,
dpdaction=restart
ipsec-sec: 110.0.0.110...1.2.3.112 IKEv1, dpddelay=30s
ipsec-sec: local: [110.0.0.110] uses pre-shared key authentication
ipsec-sec: remote: uses pre-shared key authentication
ipsec-sec: child: 110.0.0.0/25 === 10.4.34.70/32 10.4.34.71/32
TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
ipsec-sec[2]: ESTABLISHED 51 minutes ago,
110.0.0.110[110.0.0.110]...1.2.3.112[1.2.3.112]
ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r,
pre-shared key reauthentication in 22 hours
ipsec-sec[2]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ipsec-sec{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i
15dd64ce_o
ipsec-sec{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169
pkts, 1s ago), rekeying in 46 minutes
ipsec-sec{2}: 110.0.0.0/25 === 10.4.34.70/32
/etc/ipsec.conf file:
##################################
conn ipsec-pri
ikelifetime=86400s
authby=secret
auto=start
keyexchange=ikev1
type=tunnel
left=110.0.0.110
leftid=%any
leftsubnet=110.0.0.0/25
right=1.2.3.111
rightid=%any
rightsubnet=10.5.35.0/24
ike=3des-sha1-modp1024
esp=3des-sha1-modp1024
dpdaction=restart
conn ipsec-sec
ikelifetime=86400s
authby=secret
auto=start
keyexchange=ikev1
type=tunnel
left=110.0.0.110
leftid=%any
leftsubnet=110.0.0.0/25
right==1.2.3.112
rightid=%any
rightsubnet=10.4.34.70/32,10.4.34.71/32
ike=3des-sha1-modp1024
esp=3des-sha1-modp1024
dpdaction=restart
##################################
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I've enabled forwarding in /etc/sysctl.conf
net.ipv4.ip_forward=1
I've been back and forth on this for a few months but just really stuck.
Any ideas on where i'm going wrong? I hope I've included enough info to
get pointed in the right direction.
More information about the Users
mailing list