[strongSwan] Traffic blocked through the tunnel

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Mar 9 16:20:44 CET 2018


Hi,

To be able to communicate over the tunnel, obviously the remote host's IP needs to be in the remote TS and your local host's IP needs to be in the local TS of the VPN tunnel.
Did you alter the output you gave me or does the remote peer's IP specify the TS 10.0.0.1/32 == 192.168.1.40/32?

Kind regards

Noel

On 09.03.2018 16:06, Sujoy wrote:
> Thanks a lot for the information Noel, I have updated sysctl.conf according to point 1 and 2.
> 
> root at mlxvpn:~# sysctl -p
> net.ipv4.conf.enp3s0.forwarding = 1
> net.ipv4.ip_forward = 1
> net.ipv6.conf.all.forwarding = 1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.ip_no_pmtu_disc = 1
> 
>   Point 3. Verified the tunnel is established by "ipsec statusall" in both the end. I check the connection from the other systems which can ping and ssh/http.
> The host which establish the tunnel is not able to communicate with the VPN server.
>  #Nmap -Pn IP shows
> All 1000 scanned ports on static-IP-ISP.co.in (IP) are filtered
> Point 4. "10.0.0.1" is a sample IP, As I need to connect multiple device which IP's are not fixed so I have set the left/rightsubnet as 0.0.0.0/0.
> 
> config setup
> 
>         charondebug="all"
>         uniqueids=no
>         strictcrlpolicy=no
> conn %default
> conn tunnel #
>        left=%any
>        leftsubnet=0.0.0.0/0
>        right=%any
>        rightid=%any
>        rightsubnet=0.0.0.0/0
>        ike=aes256-sha1-modp2048
>        esp=aes256-sha1
>        keyingtries=1
>        keylife=60m
>        dpddelay=30s
>        dpdtimeout=150s
>        dpdaction=clear
>        authby=psk
>        auto=route
>        keyexchange=ikev2
>        type=tunnel
>        mobike=no
>        leftfirewall=yes
>        fragmentation=yes
> 
> Thanks
> 
> On Friday 09 March 2018 07:31 PM, Noel Kuntze wrote:
>> Hi,
>>
>> 1) Make sure that net.ipv4.ip_forward=1 is set in sysctl (or just run `sysctl -w net.ipv4.ip_forward=1`, then it is set)
>> 2) Make sure forwarding for the interfaces that are involved is enabled (net.ipv4.conf.$INTERFACE.forwarding=1)
>> 3) How do you test the tunnel?
>> 4) Do you have a route to 10.0.0.1?
>> 5) There is only a route in table 220 if it's needed and route installation is enabled in strongswan.conf/charon.conf (the default).
>>
>> Kind regards
>>
>> Noel
>>
>> On 09.03.2018 14:52, Sujoy wrote:
>>> Thanks Noel, As you replied this is a new thread. Followed the bellow forwarding and split tunneling link but cannot pass traffic through the Strongswan tunnel.
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>>
>>> Strongswan configuration details.
>>>
>>> root at mlxvpn:~# ifconfig
>>> enp3s0    Link encap:Ethernet  HWaddr 00:25:ab:98:12:d5
>>>            inet addr:172.25.1.23  Bcast:172.25.255.255 Mask:255.255.0.0
>>>            inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
>>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>            RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
>>>            TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
>>>            collisions:0 txqueuelen:1000
>>>            RX bytes:29640846 (29.6 MB)  TX bytes:3714848 (3.7 MB)
>>>
>>> lo        Link encap:Local Loopback
>>>            inet addr:127.0.0.1  Mask:255.0.0.0
>>>            inet6 addr: ::1/128 Scope:Host
>>>            UP LOOPBACK RUNNING  MTU:65536  Metric:1
>>>            RX packets:225 errors:0 dropped:0 overruns:0 frame:0
>>>            TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
>>>            collisions:0 txqueuelen:1
>>>            RX bytes:16397 (16.3 KB)  TX bytes:16397 (16.3 KB)
>>>
>>> root at mlxvpn:~#
>>> root at mlxvpn:~# ipsec statusall
>>> Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64):
>>>    uptime: 3 hours, since Mar 09 13:29:26 2018
>>>    malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
>>>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
>>>    loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
>>> Listening IP addresses:
>>>    172.25.1.23
>>> Connections:
>>>        tunnel:  %any...%any  IKEv2, dpddelay=30s
>>>        tunnel:   local:  uses pre-shared key authentication
>>>        tunnel:   remote: uses pre-shared key authentication
>>>        tunnel:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
>>> Security Associations (1 up, 0 connecting):
>>>        tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
>>>        tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes
>>>        tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>>        tunnel{5}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o
>>>        tunnel{5}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes
>>>        tunnel{5}:   10.0.0.1/32 === 192.168.1.40/32
>>> root at mlxvpn:~#
>>> root at mlxvpn:~# iptables-save
>>> # Generated by iptables-save v1.6.0 on Fri Mar  9 17:17:25 2018
>>> *nat
>>> :PREROUTING ACCEPT [41820:3021162]
>>> :INPUT ACCEPT [6196:914229]
>>> :OUTPUT ACCEPT [16:1536]
>>> :POSTROUTING ACCEPT [16:1536]
>>> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
>>> COMMIT
>>> # Completed on Fri Mar  9 17:17:25 2018
>>> # Generated by iptables-save v1.6.0 on Fri Mar  9 17:17:25 2018
>>> *mangle
>>> :PREROUTING ACCEPT [90325:7771073]
>>> :INPUT ACCEPT [54531:5654040]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [10356:1527995]
>>> :POSTROUTING ACCEPT [10360:1528611]
>>> -A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
>>> -A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
>>> COMMIT
>>> # Completed on Fri Mar  9 17:17:25 2018
>>> root at mlxvpn:~#
>>> root at mlxvpn:~# ip route list table 220
>>> root at mlxvpn:~#
>>>
>>> Thanks for the help.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180309/916e5641/attachment-0001.sig>


More information about the Users mailing list