[strongSwan] Traffic blocked through the tunnel

Sujoy sujoy.b at mindlogicx.com
Fri Mar 9 16:06:23 CET 2018 

Thanks a lot for the information Noel, I have updated sysctl.conf 
according to point 1 and 2.

root at mlxvpn:~# sysctl -p
net.ipv4.conf.enp3s0.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc = 1

   Point 3. Verified the tunnel is established by "ipsec statusall" in 
both the end. I check the connection from the other systems which can 
ping and ssh/http.
The host which establish the tunnel is not able to communicate with the 
VPN server.
  #Nmap -Pn IP shows
All 1000 scanned ports on static-IP-ISP.co.in (IP) are filtered
Point 4. "10.0.0.1" is a sample IP, As I need to connect multiple device 
which IP's are not fixed so I have set the left/rightsubnet as 0.0.0.0/0.

config setup

         charondebug="all"
         uniqueids=no
         strictcrlpolicy=no
conn %default
conn tunnel #
        left=%any
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightsubnet=0.0.0.0/0
        ike=aes256-sha1-modp2048
        esp=aes256-sha1
        keyingtries=1
        keylife=60m
        dpddelay=30s
        dpdtimeout=150s
        dpdaction=clear
        authby=psk
        auto=route
        keyexchange=ikev2
        type=tunnel
        mobike=no
        leftfirewall=yes
        fragmentation=yes

Thanks

On Friday 09 March 2018 07:31 PM, Noel Kuntze wrote:
> Hi,
>
> 1) Make sure that net.ipv4.ip_forward=1 is set in sysctl (or just run `sysctl -w net.ipv4.ip_forward=1`, then it is set)
> 2) Make sure forwarding for the interfaces that are involved is enabled (net.ipv4.conf.$INTERFACE.forwarding=1)
> 3) How do you test the tunnel?
> 4) Do you have a route to 10.0.0.1?
> 5) There is only a route in table 220 if it's needed and route installation is enabled in strongswan.conf/charon.conf (the default).
>
> Kind regards
>
> Noel
>
> On 09.03.2018 14:52, Sujoy wrote:
>> Thanks Noel, As you replied this is a new thread. Followed the bellow forwarding and split tunneling link but cannot pass traffic through the Strongswan tunnel.
>>
>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>
>> Strongswan configuration details.
>>
>> root at mlxvpn:~# ifconfig
>> enp3s0    Link encap:Ethernet  HWaddr 00:25:ab:98:12:d5
>>            inet addr:172.25.1.23  Bcast:172.25.255.255 Mask:255.255.0.0
>>            inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>            RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
>>            TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1000
>>            RX bytes:29640846 (29.6 MB)  TX bytes:3714848 (3.7 MB)
>>
>> lo        Link encap:Local Loopback
>>            inet addr:127.0.0.1  Mask:255.0.0.0
>>            inet6 addr: ::1/128 Scope:Host
>>            UP LOOPBACK RUNNING  MTU:65536  Metric:1
>>            RX packets:225 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1
>>            RX bytes:16397 (16.3 KB)  TX bytes:16397 (16.3 KB)
>>
>> root at mlxvpn:~#
>> root at mlxvpn:~# ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64):
>>    uptime: 3 hours, since Mar 09 13:29:26 2018
>>    malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
>>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
>>    loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
>> Listening IP addresses:
>>    172.25.1.23
>> Connections:
>>        tunnel:  %any...%any  IKEv2, dpddelay=30s
>>        tunnel:   local:  uses pre-shared key authentication
>>        tunnel:   remote: uses pre-shared key authentication
>>        tunnel:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
>> Security Associations (1 up, 0 connecting):
>>        tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
>>        tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes
>>        tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>        tunnel{5}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o
>>        tunnel{5}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes
>>        tunnel{5}:   10.0.0.1/32 === 192.168.1.40/32
>> root at mlxvpn:~#
>> root at mlxvpn:~# iptables-save
>> # Generated by iptables-save v1.6.0 on Fri Mar  9 17:17:25 2018
>> *nat
>> :PREROUTING ACCEPT [41820:3021162]
>> :INPUT ACCEPT [6196:914229]
>> :OUTPUT ACCEPT [16:1536]
>> :POSTROUTING ACCEPT [16:1536]
>> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
>> COMMIT
>> # Completed on Fri Mar  9 17:17:25 2018
>> # Generated by iptables-save v1.6.0 on Fri Mar  9 17:17:25 2018
>> *mangle
>> :PREROUTING ACCEPT [90325:7771073]
>> :INPUT ACCEPT [54531:5654040]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [10356:1527995]
>> :POSTROUTING ACCEPT [10360:1528611]
>> -A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
>> -A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
>> COMMIT
>> # Completed on Fri Mar  9 17:17:25 2018
>> root at mlxvpn:~#
>> root at mlxvpn:~# ip route list table 220
>> root at mlxvpn:~#
>>
>> Thanks for the help.

More information about the Users mailing list