[strongSwan] IPsec routing
bluesky787 at posteo.de
bluesky787 at posteo.de
Tue Nov 5 16:03:19 CET 2019
Hello Guys,
This is the second time I need your help. I already asked you about
public key authentication (see
https://lists.strongswan.org/pipermail/users/2019-September/013839.html),
this problem refers directly to this old thread, because I couldn't
figure out how to make the connection work. As I stated at the end of
this thread, the connection gets established now, but no traffic at all
is going to be sent over the tunnel.
I instantly thought it is a routing problem and followed the tutorials
for routing with NAT
(https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling)
and route based vpn
(https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN),
but both didn't work out. As I understand it, route based vpn is not
necessary if it's ok with me that everything will get send over ipsec
tunnel, which is perfectly ok.
Is there anything else I have to do to sent network traffice over ipsec
tunnel? Does strongswan does not configure routes automatically? Is it a
simple misconfiguration?
I have the following setup:
VPN-Router (proprietary, IKEv2, 217.xxx.xxx.xxx) <----- WAN -----> Linux
(debian on qubes OS) client with strongswan 5.8.1-1 (10.137.0.10)
Strongswan config file:
conn vpn-ikev2
auto=route
ike=aes256-sha256-sha512-modp4096!
esp=aes256-sha256-sha512-modp4096!
right=217.xxx.xxx.xxx
rightid="O=Foo Company,CN=217.86.xxx.xxx"
rightsubnet=0.0.0.0/0
rightauth=pubkey
rightca=217.xxx.xxx.xxx
rightcert=/etc/ipsec.d/certs/Foo_CA_IME.crt
leftid="O=Foo Company,CN=Foo VPN USER"
leftsourceip=%config
leftauth=pubkey
leftca="O=Foo Company,CN=Foo CA IME"
leftcert=/etc/ipsec.d/certs/Foo_VPN_User.crt
Output from vpn connection initialisation:
[..]
IKE_SA vpn-ikev2[1] established between 10.137.0.10[O=Foo Company,
CN=Foo USER]...217.xxx.xxx.xxx[O=Foo Company, CN=217.xxx.xxx.xxx]
scheduling reauthentication in 9961s
maximum IKE_SA lifetime 10501s
installing DNS server 192.168.10.1 to /etc/resolv.conf
installing DNS server 192.168.10.52 to /etc/resolv.conf
installing new virtual IP 192.168.10.205
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
CHILD_SA vpn-ikev2{2} established with SPIs cc3c6e40_i 0b663ca1_o and TS
192.168.10.205/32 === 0.0.0.0/0
connection 'vpn-ikev2' established successfully
Following iptable rules are set up (are these really necessary? In my
opinion this is just the case for a gateway):
iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -m policy --dir
out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
Ping:
ping 192.168.10.205 (my virtual ip in private network)
PING 192.168.10.205 (192.168.10.205) 56(84) bytes of data.
64 bytes from 192.168.10.205: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 192.168.10.205: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 192.168.10.205: icmp_seq=3 ttl=64 time=0.041 ms
64 bytes from 192.168.10.205: icmp_seq=4 ttl=64 time=0.044 ms
^C
--- 192.168.10.205 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 58ms
rtt min/avg/max/mdev = 0.041/0.041/0.044/0.008 ms
ping 192.168.10.1 (one of two dns servers in private network)
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
^C
--- 192.168.10.1 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 188ms
ping 8.8.8.8 (something in WAN)
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=72.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=38.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=41.7 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=39.6 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 38.420/48.019/72.374/14.111 ms
What did I do wrong? Could it be a problem that I installed strongswan
inside a virtual machine?
I am thankful for every kind of help.
Regards,
Bluesky787
More information about the Users
mailing list