[strongSwan] Traffic blocked through the tunnel
Sujoy
sujoy.b at mindlogicx.com
Fri Mar 9 14:52:33 CET 2018
Thanks Noel, As you replied this is a new thread. Followed the bellow
forwarding and split tunneling link but cannot pass traffic through the
Strongswan tunnel.
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Strongswan configuration details.
root at mlxvpn:~# ifconfig
enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5
inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0
inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225 errors:0 dropped:0 overruns:0 frame:0
TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB)
root at mlxvpn:~#
root at mlxvpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic,
x86_64):
uptime: 3 hours, since Mar 09 13:29:26 2018
malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 109 minutes ago,
172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*,
pre-shared key reauthentication in 61 minutes
tunnel[3]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c4116d05_i c29b66f5_o
tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 20 minutes
tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32
root at mlxvpn:~#
root at mlxvpn:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*nat
:PREROUTING ACCEPT [41820:3021162]
:INPUT ACCEPT [6196:914229]
:OUTPUT ACCEPT [16:1536]
:POSTROUTING ACCEPT [16:1536]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*mangle
:PREROUTING ACCEPT [90325:7771073]
:INPUT ACCEPT [54531:5654040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10356:1527995]
:POSTROUTING ACCEPT [10360:1528611]
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
root at mlxvpn:~#
root at mlxvpn:~# ip route list table 220
root at mlxvpn:~#
Thanks for the help.
More information about the Users
mailing list