[strongSwan] Traffic blocked through the tunnel

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Mar 9 15:01:46 CET 2018 

Hi,

1) Make sure that net.ipv4.ip_forward=1 is set in sysctl (or just run `sysctl -w net.ipv4.ip_forward=1`, then it is set)
2) Make sure forwarding for the interfaces that are involved is enabled (net.ipv4.conf.$INTERFACE.forwarding=1)
3) How do you test the tunnel?
4) Do you have a route to 10.0.0.1?
5) There is only a route in table 220 if it's needed and route installation is enabled in strongswan.conf/charon.conf (the default).

Kind regards

Noel

On 09.03.2018 14:52, Sujoy wrote:
> 
> Thanks Noel, As you replied this is a new thread. Followed the bellow forwarding and split tunneling link but cannot pass traffic through the Strongswan tunnel.
> 
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> 
> Strongswan configuration details.
> 
> root at mlxvpn:~# ifconfig
> enp3s0    Link encap:Ethernet  HWaddr 00:25:ab:98:12:d5
>           inet addr:172.25.1.23  Bcast:172.25.255.255 Mask:255.255.0.0
>           inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
>           TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:29640846 (29.6 MB)  TX bytes:3714848 (3.7 MB)
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>           RX packets:225 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1
>           RX bytes:16397 (16.3 KB)  TX bytes:16397 (16.3 KB)
> 
> root at mlxvpn:~#
> root at mlxvpn:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64):
>   uptime: 3 hours, since Mar 09 13:29:26 2018
>   malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
> Listening IP addresses:
>   172.25.1.23
> Connections:
>       tunnel:  %any...%any  IKEv2, dpddelay=30s
>       tunnel:   local:  uses pre-shared key authentication
>       tunnel:   remote: uses pre-shared key authentication
>       tunnel:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
> Security Associations (1 up, 0 connecting):
>       tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
>       tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes
>       tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>       tunnel{5}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o
>       tunnel{5}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes
>       tunnel{5}:   10.0.0.1/32 === 192.168.1.40/32
> root at mlxvpn:~#
> root at mlxvpn:~# iptables-save
> # Generated by iptables-save v1.6.0 on Fri Mar  9 17:17:25 2018
> *nat
> :PREROUTING ACCEPT [41820:3021162]
> :INPUT ACCEPT [6196:914229]
> :OUTPUT ACCEPT [16:1536]
> :POSTROUTING ACCEPT [16:1536]
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> COMMIT
> # Completed on Fri Mar  9 17:17:25 2018
> # Generated by iptables-save v1.6.0 on Fri Mar  9 17:17:25 2018
> *mangle
> :PREROUTING ACCEPT [90325:7771073]
> :INPUT ACCEPT [54531:5654040]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [10356:1527995]
> :POSTROUTING ACCEPT [10360:1528611]
> -A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
> -A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
> COMMIT
> # Completed on Fri Mar  9 17:17:25 2018
> root at mlxvpn:~#
> root at mlxvpn:~# ip route list table 220
> root at mlxvpn:~#
> 
> Thanks for the help.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180309/c2e08404/attachment.sig>

More information about the Users mailing list