[strongSwan] StrongSwan - can't route traffic over it

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Mar 8 11:34:29 CET 2018 

Hi,

Your iptables rules in the *nat table probably cause your issue.

Take a look at the article about forwarding and split tunneling[1]. And stop using `iptables -L`, it doesn't show you everything. Always use `iptables-save` or `iptables-save -c` instead.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems

On 07.03.2018 05:37, Brenden wrote:
> Hi All,
>
> I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS.
>
> IPs chanaged for privacy:
>
> My server IP 110.0.0.110
> My subnet is 110.0.0.0/25
> Internal IP: 192.168.50.214
> Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec)
>
> The primary connection is currently not configured (its still running on
> our hardware FW) but the secondary one has been re-configured with the
> other peer and connection successfully establishes.
>
> They can see our successful connection is up but can't see any traffic
> being sent from our side.
>
> I am running HAPROXY on my strongswans server which forwards traffic from
> 192.168.50.214:3333 to 10.4.34.70:3333 (via IPSEC tunnel). I can't ping,
> telnet, curl or do anything against this host.
>
> I have this working in a legacy (undocumented environment on a Fortigate
> FW), but that's being replaced.
>
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic,
> x86_64):
>   uptime: 51 minutes, since Mar 07 13:21:13 2018
>   malloc: sbrk 2588672, mmap 0, used 588944, free 1999728
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 7
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> kernel-netlink resolve socket-default connmark farp stroke updown
> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Listening IP addresses:
>   110.0.0.110
>   192.168.50.214
> Connections:
>      ipsec-pri:  110.0.0.110...1.2.3.111  IKEv1, dpddelay=30s
>      ipsec-pri:   local:  uses pre-shared key authentication
>      ipsec-pri:   remote: uses pre-shared key authentication
>      ipsec-pri:   child:  110.0.0.0/25 === 10.5.35.0/24 TUNNEL,
> dpdaction=restart
>      ipsec-sec:  110.0.0.110...1.2.3.112  IKEv1, dpddelay=30s
>      ipsec-sec:   local:  [110.0.0.110] uses pre-shared key authentication
>      ipsec-sec:   remote: uses pre-shared key authentication
>      ipsec-sec:   child:  110.0.0.0/25 === 10.4.34.70/32 10.4.34.71/32
> TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
>      ipsec-sec[2]: ESTABLISHED 51 minutes ago,
> 110.0.0.110[110.0.0.110]...1.2.3.112[1.2.3.112]
>      ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r,
> pre-shared key reauthentication in 22 hours
>      ipsec-sec[2]: IKE proposal:
> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>      ipsec-sec{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i
> 15dd64ce_o
>      ipsec-sec{2}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169
> pkts, 1s ago), rekeying in 46 minutes
>      ipsec-sec{2}:   110.0.0.0/25 === 10.4.34.70/32
>
>
> /etc/ipsec.conf file:
> ##################################
> conn ipsec-pri
>         ikelifetime=86400s
>         authby=secret
>         auto=start
>         keyexchange=ikev1
>         type=tunnel
>         left=110.0.0.110
>         leftid=%any
>         leftsubnet=110.0.0.0/25
>         right=1.2.3.111
>         rightid=%any
>         rightsubnet=10.5.35.0/24
>         ike=3des-sha1-modp1024
>         esp=3des-sha1-modp1024
>         dpdaction=restart
>
>
> conn ipsec-sec
>         ikelifetime=86400s
>         authby=secret
>         auto=start
>         keyexchange=ikev1
>         type=tunnel
>         left=110.0.0.110
>         leftid=%any
>         leftsubnet=110.0.0.0/25
>         right==1.2.3.112
>         rightid=%any
>         rightsubnet=10.4.34.70/32,10.4.34.71/32
>         ike=3des-sha1-modp1024
>         esp=3des-sha1-modp1024
>         dpdaction=restart
> ##################################
>
> ~# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> I've enabled forwarding in /etc/sysctl.conf
> net.ipv4.ip_forward=1
>
>
> I've been back and forth on this for a few months but just really stuck.
>
> Any ideas on where i'm going wrong? I hope I've included enough info to
> get pointed in the right direction.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180308/ad34548a/attachment.sig>

More information about the Users mailing list