[strongSwan] StrongSwan - can't route traffic over it
Brenden
info at 5eg.net
Mon Mar 12 06:01:50 CET 2018
I'm guessing my NAT rules may be messed up, any ideas what might be wrong?
# iptables-save
# Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018
*nat
:PREROUTING ACCEPT [14:1916]
:INPUT ACCEPT [14:1916]
:OUTPUT ACCEPT [37:2220]
:POSTROUTING ACCEPT [18:1080]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 1.2.3.112/24 -o ens33 -m policy --dir out --pol ipsec -j
ACCEPT
-A POSTROUTING -s 1.2.3.112/24 -o ens33 -j MASQUERADE
-A POSTROUTING -s 1.2.3.112/24 -o ens33 -m policy --dir out --pol ipsec -j
ACCEPT
-A POSTROUTING -s 1.2.3.112/24 -o ens33 -j MASQUERADE
COMMIT
# Completed on Mon Mar 12 14:22:04 2018
# Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018
*filter
:INPUT ACCEPT [74:14670]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [215:33304]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 1.2.3.112/24 -m policy --dir in --pol ipsec --proto esp -j
ACCEPT
-A FORWARD -d 1.2.3.112/24 -m policy --dir out --pol ipsec --proto esp -j
ACCEPT
-A FORWARD -s 1.2.3.112/24 -m policy --dir in --pol ipsec --proto esp -j
ACCEPT
-A FORWARD -d 1.2.3.112/24 -m policy --dir out --pol ipsec --proto esp -j
ACCEPT
COMMIT
# Completed on Mon Mar 12 14:22:04 2018
On 8 March 2018 at 20:34, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Hi,
>
> Your iptables rules in the *nat table probably cause your issue.
>
> Take a look at the article about forwarding and split tunneling[1]. And
> stop using `iptables -L`, it doesn't show you everything. Always use
> `iptables-save` or `iptables-save -c` instead.
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/
> ForwardingAndSplitTunneling#General-NAT-problems
>
> On 07.03.2018 05:37, Brenden wrote:
> > Hi All,
> >
> > I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS.
> >
> > IPs chanaged for privacy:
> >
> > My server IP 110.0.0.110
> > My subnet is 110.0.0.0/25
> > Internal IP: 192.168.50.214
> > Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec)
> >
> > The primary connection is currently not configured (its still running on
> > our hardware FW) but the secondary one has been re-configured with the
> > other peer and connection successfully establishes.
> >
> > They can see our successful connection is up but can't see any traffic
> > being sent from our side.
> >
> > I am running HAPROXY on my strongswans server which forwards traffic from
> > 192.168.50.214:3333 to 10.4.34.70:3333 (via IPSEC tunnel). I can't ping,
> > telnet, curl or do anything against this host.
> >
> > I have this working in a legacy (undocumented environment on a Fortigate
> > FW), but that's being replaced.
> >
> > # ipsec statusall
> > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic,
> > x86_64):
> > uptime: 51 minutes, since Mar 07 13:21:13 2018
> > malloc: sbrk 2588672, mmap 0, used 588944, free 1999728
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> > scheduled: 7
> > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> > dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> > kernel-netlink resolve socket-default connmark farp stroke updown
> > eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
> > eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
> > eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> > xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> > tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> > Listening IP addresses:
> > 110.0.0.110
> > 192.168.50.214
> > Connections:
> > ipsec-pri: 110.0.0.110...1.2.3.111 IKEv1, dpddelay=30s
> > ipsec-pri: local: uses pre-shared key authentication
> > ipsec-pri: remote: uses pre-shared key authentication
> > ipsec-pri: child: 110.0.0.0/25 === 10.5.35.0/24 TUNNEL,
> > dpdaction=restart
> > ipsec-sec: 110.0.0.110...1.2.3.112 IKEv1, dpddelay=30s
> > ipsec-sec: local: [110.0.0.110] uses pre-shared key
> authentication
> > ipsec-sec: remote: uses pre-shared key authentication
> > ipsec-sec: child: 110.0.0.0/25 === 10.4.34.70/32 10.4.34.71/32
> > TUNNEL, dpdaction=restart
> > Security Associations (1 up, 0 connecting):
> > ipsec-sec[2]: ESTABLISHED 51 minutes ago,
> > 110.0.0.110[110.0.0.110]...1.2.3.112[1.2.3.112]
> > ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r,
> > pre-shared key reauthentication in 22 hours
> > ipsec-sec[2]: IKE proposal:
> > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> > ipsec-sec{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i
> > 15dd64ce_o
> > ipsec-sec{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169
> > pkts, 1s ago), rekeying in 46 minutes
> > ipsec-sec{2}: 110.0.0.0/25 === 10.4.34.70/32
> >
> >
> > /etc/ipsec.conf file:
> > ##################################
> > conn ipsec-pri
> > ikelifetime=86400s
> > authby=secret
> > auto=start
> > keyexchange=ikev1
> > type=tunnel
> > left=110.0.0.110
> > leftid=%any
> > leftsubnet=110.0.0.0/25
> > right=1.2.3.111
> > rightid=%any
> > rightsubnet=10.5.35.0/24
> > ike=3des-sha1-modp1024
> > esp=3des-sha1-modp1024
> > dpdaction=restart
> >
> >
> > conn ipsec-sec
> > ikelifetime=86400s
> > authby=secret
> > auto=start
> > keyexchange=ikev1
> > type=tunnel
> > left=110.0.0.110
> > leftid=%any
> > leftsubnet=110.0.0.0/25
> > right==1.2.3.112
> > rightid=%any
> > rightsubnet=10.4.34.70/32,10.4.34.71/32
> > ike=3des-sha1-modp1024
> > esp=3des-sha1-modp1024
> > dpdaction=restart
> > ##################################
> >
> > ~# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > I've enabled forwarding in /etc/sysctl.conf
> > net.ipv4.ip_forward=1
> >
> >
> > I've been back and forth on this for a few months but just really stuck.
> >
> > Any ideas on where i'm going wrong? I hope I've included enough info to
> > get pointed in the right direction.
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180312/5b549264/attachment.html>
More information about the Users
mailing list