[strongSwan] Can't get host-to-host "static" ipsec with one host behind nat working

Oliver oliver+strongswan at duckasylum.com
Thu Jun 27 23:18:54 CEST 2019 

Hello 

I am trying to make a "static tunnel" between my raspberry pi in my home
network and a server in the internet. The raspberry pi is behind NAT,
provided by a DD-WRT router. The server has one public IP address. The
purpose of the tunnel is to create a fixed endpoint secure connection
between the raspberry pi and the server in the internet as my home
connection does not have a static IP. I want to initiate the connection
from the raspberry pie. I would like the server to remain accessible for
the other hosts in my home network and also raspberry pie accessible
from the home network and internet (certain services through port
forwarding on dd-wrt, for example my openvpn server for roadwarriors).
Raspberry pie should not access the internet through the internet
server/ipsec connection 

Am I wrong to create a host-to-host transport mode connection? I took
StrongSwan KVM tests / ikev2 /host2host-transport-nat as a reference. I
managed to get an established connection but, the server could not ping
the raspberry pi and my other home network machines could not reach the
server when the tunnel was up. I added the following rules to the DD-WRT
router:

> iptables -t nat -I POSTROUTING 2 -o <dd-wrt external interface> -s <raspberry pie ip>/32 -j MASQUERADE
> iptables -I FORWARD 3 -i <dd-wrt internal interface> -o <dd-wrt external interface> -s <raspberry pie ip>/32 -j ACCEPT
> iptables -I FORWARD 4 -i <dd-wrt external interface> -o <dd-wrt internal interface> -d <raspberry pie ip>/32 -j ACCEPT

I could see that the rules got triggered. Do I have make udp port 500,
4500 rules for the INPUT chain also?  I have done those for the server,
without them I couldn't establish a connection. 

configuration of the internet server (Linux kernel 4.4.0-150 x86_64
GNU/Linux and strongswan version 5.3.5 from package repo):

> config setup
> charondebug="all"
> uniqueids=yes
> strictcrlpolicy=no 
> 
> # tunnel for
> conn raspberry-ipsec
> authby=secret
> type=transport
> left=server_public_ip
> leftid=@server_fqdn
> leftfirewall=yes
> right=%any
> ike=aes192-sha256-modp3072!
> esp=aes192-sha256-ecp256-modp3072!
> keyingtries=0
> ikelifetime=1h
> lifetime=8h
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> auto=add

configuration of the raspberry pie (Linux raspian kernel 4.19.42-v7+
armv7l GNU/Linux and strongswan version 5.5.1 from package repo):

> config setup
> charondebug="all"
> uniqueids=yes
> strictcrlpolicy=no 
> 
> # tunnel for
> conn server-ipsec
> authby=secret
> type=transport
> leftfirewall=yes
> right=server_public_ip
> rightid=@server_fqdn
> ike=aes192-sha256-modp3072!
> esp=aes192-sha256-ecp256-modp3072!
> keyingtries=0
> ikelifetime=1h
> lifetime=8h
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> auto=add

Am I doing something wrong? Should I compile newer versions? Is my
reference configuration (host2host-transport-nat) the wrong pick? I also
tried host2host-transport-connmark sample with added mark=%unique on the
server side, but got an error saying that to access iptables something
must be run as root.  

Thank You all in advance, 

Oliver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190628/f0ced6f6/attachment.html>

More information about the Users mailing list