[strongSwan] Forcing all traffic from a specific user to use Strongswan

Gilles Printemps gprintemps at gmail.com
Thu May 24 12:15:16 CEST 2018 

Hi Phil/All,

Sorry for the mistake - Bad copy/Paste
Nevertheless, things are not better after fixing the path.
Indeed, after restarting ipsec,
  - SSH connection is dropping
  - No way to resolve any web site

In the syslog, I've seen the following message

> ...

charon: 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> charon: 00[CFG]   loaded EAP secret for gprintemps
> charon: 00[CFG] loaded 0 RADIUS server configurations
> charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random
> nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity counters
> charon: 00[JOB] spawning 16 worker threads
> charon: 04[CFG] received stroke: add connection 'VPN'
> charon: 04[CFG] added configuration 'VPN'
> charon: 06[CFG] received stroke: route 'VPN'
> charon: 09[KNL] creating acquire job for policy 10.211.55.3/32[udp/40255]
> === 10.211.55.1/32[udp/domain] with reqid {1}
> charon: 00[DMN] signal of type SIGINT received. Shutting down
> charon: 09[IKE] unable to resolve free-nl.hide.me, initiate aborted
> charon: 09[MGR] tried to checkin and delete nonexisting IKE_SA
>

For information, I can ping easily the host when ipsec is stopped...

Hereafter my full configuration

[/etc/ipsec.conf]

> conn VPN
>         keyexchange=ike
>         dpdaction=clear
>         dpddelay=300s
>         eap_identity=gprintemps
>         leftupdown=/etc/ipsec.script.sh
>         leftauth=eap-mschapv2
>         left=%defaultroute
>         leftsourceip=%config
>         right=free-nl.hide.me
>         rightauth=pubkey
>         rightsubnet=0.0.0.0/0
>         rightid=%any
>         type=tunnel
>         auto=route


[/etc/ipsec.script.sh]

> #!/bin/bash
> set -o nounset
> set -o errexit
> VTI_IF="vti0"
> case "${PLUTO_VERB}" in
>     up-client)
>         ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
> "${PLUTO_PEER}" mode vti \
>                       okey "${PLUTO_MARK_OUT%%/*}" ikey
> "${PLUTO_MARK_IN%%/*}"
>         ip link set "${VTI_IF}" up
>         sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
>         ;;
>     down-client)
>         ip tunnel del "${VTI_IF}"
>         ;;
> esac


I already prepared the next step (after fixing the current issue), I've
created the following script

#! /bin/bash
> export TABLE_ID="vpn"
> export VPN_USER="vpn"
> export VPN_INTERFACE="vti0"
> export LAN="10.211.55.0/24"
>
> # Flush iptables rules
> iptables -F -t nat
> iptables -F -t mangle
> iptables -F -t filter
> # Mark packets from $VPN_USER
> iptables -t mangle -A OUTPUT ! --dest $LAN  -m owner --uid-owner $VPN_USER
> -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1
> # Deny $VPN_USER to access other interfaces than lo
> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP
> # Allow $VPN_USER to access lo and VPN interfaces
> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT
> iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j
> ACCEPT
>
> # Allow response from $VPN_INTERFACE
> iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED -j
> ACCEPT
> # Masquarade packets on $VPN_INTERFACE
> iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE
>
> # Routing rules
> ip route replace default via $GATEWAY table $TABLE_ID
> ip route append default via 127.0.0.1 dev lo table $TABLE_ID
> ip route flush cache


Purpose to is mark all packets from VPN_USER and to redirect them to the
ipsec interface created by the the configuration
I'm planning to do it with the following command:

> ip rule add from all fwmark 0x1 lookup vpn


Best Regards,
Gilles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180524/818dc1d9/attachment.html>

More information about the Users mailing list