[strongSwan] Can't make routing work to pass Internet traffic
Arab Abdulla
arab666 at protonmail.com
Fri May 4 09:57:06 CEST 2018
Dear Admins!
Please help. Can't make work routing. I have net scheme:
IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2
IPSEC IPs of computers:
Server: 10.1.1.1
Client 1: 10.1.2.1
Client 2: 10.1.3.1
I can ping 10.1.3.1 from 10.1.2.1, traffic goes through 10.1.1.1. It works.
I need to make "Client 2" an Internet gateway to pass all Internet traffic from Client 1.
But when I try to add route:
ip route add 8.8.4.4/32 via 10.1.3.1
it seems route not working, like gateway 10.1.3.1 is just ignored. Traffic ends on 10.1.1.1, and do not pass to 10.1.3.1 at all. I check it with tcpdump.
I use VTI to accomplish this task, test everything in three virtual machines.
"Server"
root at ubuntu1604:~# cat /etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
uniqueids=never
conn %default
keyexchange=ikev2
reauth=no
forceencaps=yes
fragmentation=yes
compress=no
dpdaction=clear
closeaction=clear
mobike=no
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
conn server
leftupdown=/usr/local/sbin/ipsec-vti.sh
mark=%unique
leftid=%server.example.com
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
rightsourceip=%config
leftcert=gw-cert.pem
leftsendcert=always
auto=add
root at ubuntu1604:~# cat /usr/local/sbin/ipsec-vti.sh
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="ipsec${PLUTO_UNIQUEID}"
DEFAULT_IF=`ip route | awk '/default/{ print $5 }'`
PLUTO_MY_SOURCEIP="10.1.1.1"
case "${PLUTO_VERB}" in
up-client)
ip link add "${VTI_IF}" type vti local "${PLUTO_ME}" remote "${PLUTO_PEER}" \
key "${PLUTO_UNIQUEID}"
ip link set "${VTI_IF}" mtu 1436
ip link set "${VTI_IF}" up
ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}"
ip rule del pri 220
sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
;;
down-client)
ip link del "${VTI_IF}"
;;
esac
ip addr add ${PLUTO_MY_SOURCEIP} dev lo || true
root at ubuntu1604:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.1.1.1/32 scope global lo
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1c:42:53:83:34 brd ff:ff:ff:ff:ff:ff
inet 10.2.0.47/24 brd 10.2.0.255 scope global enp0s5
valid_lft forever preferred_lft forever
3: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
7: ipsec1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1
link/ipip 10.2.0.47 peer 10.2.0.49
8: ipsec2 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1
link/ipip 10.2.0.47 peer 10.2.0.48
root at ubuntu1604:~# ip r
default via 10.2.0.1 dev enp0s5
10.2.0.0/24 dev enp0s5 proto kernel scope link src 10.2.0.47
10.1.2.1 dev ipsec1 scope link
10.1.3.1 dev ipsec2 scope link
"Client 1"
root at ubuntu1604:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1c:42:86:b5:24 brd ff:ff:ff:ff:ff:ff
inet 10.2.0.48/24 brd 10.2.0.255 scope global enp0s5
valid_lft forever preferred_lft forever
3: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
5: ipsec2 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1
link/ipip 10.2.0.48 peer 10.2.0.47
inet 10.1.3.1/32 scope global ipsec2
valid_lft forever preferred_lft forever
root at ubuntu1604:~# ip r
default via 10.2.0.1 dev enp0s5
10.2.0.0/24 dev enp0s5 proto kernel scope link src 10.2.0.48
10.1.0.0/16 dev ipsec2 scope link
"Client 2"
root at ubuntu1604:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1c:42:ef:b6:53 brd ff:ff:ff:ff:ff:ff
inet 10.2.0.49/24 brd 10.2.0.255 scope global enp0s5
valid_lft forever preferred_lft forever
3: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
6: ipsec2 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1
link/ipip 10.2.0.49 peer 10.2.0.47
inet 10.1.2.1/32 scope global ipsec2
valid_lft forever preferred_lft forever
root at ubuntu1604:~# ip r
default via 10.2.0.1 dev enp0s5
10.2.0.0/24 dev enp0s5 proto kernel scope link src 10.2.0.49
10.1.0.0/16 dev ipsec2 scope link
ipsec.conf for Client 1, 2 almost same:
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
reauth=no
forceencaps=yes
fragmentation=yes
compress=no
dpdaction=restart
closeaction=restart
keyingtries=%forever
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
conn client
leftupdown=/usr/local/sbin/ipsec-vti.sh
mark=%unique
right=%{{ server }}
rightsubnet=0.0.0.0/0
leftsourceip=10.1.2.1 (or 10.1.3.1 for other client)
leftsubnet=0.0.0.0/0
leftcert=client-cert.pem
auto=start
ipsec-vti.sh for Client 1, 2:
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="ipsec${PLUTO_UNIQUEID}"
DEFAULT_IF=`ip route | awk '/default/{ print $5 }'`
case "${PLUTO_VERB}" in
up-client)
ip link add "${VTI_IF}" type vti local "${PLUTO_ME}" remote "${PLUTO_PEER}" \
key "${PLUTO_UNIQUEID}"
ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}"
ip link set "${VTI_IF}" mtu 1436
ip link set "${VTI_IF}" up
ip route add 10.1.0.0/16 dev "${VTI_IF}"
ip rule del pri 220
sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
;;
down-client)
ip link del "${VTI_IF}"
;;
esac
install_routes and install_virtual_ip of Charon config is of course disabled.
sysctl everywhere configured to:
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
On client which will be internet gateway, but it is not important right now because the traffic is even doesn't get this machine:
iptables -t nat -A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
Firewalls are not configured, iptables ACCEPT everywhere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180504/0651cb27/attachment.html>
More information about the Users
mailing list