[strongSwan] IPsec routing

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 6 22:28:17 CET 2019


Hello Bluesky787,

Please pastebin the output of `iptables-save`.

P.S.:Pinging your own IP is quite useless because it only tells you if your communication over loopback works. ;)

Kind regards

Noel

Am 05.11.19 um 16:03 schrieb bluesky787 at posteo.de:
> Hello Guys,
> 
> This is the second time I need your help. I already asked you about public key authentication (see https://lists.strongswan.org/pipermail/users/2019-September/013839.html), this problem refers directly to this old thread, because I couldn't figure out how to make the connection work. As I stated at the end of this thread, the connection gets established now, but no traffic at all is going to be sent over the tunnel.
> I instantly thought it is a routing problem and followed the tutorials for routing with NAT (https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling) and route based vpn (https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN), but both didn't work out. As I understand it, route based vpn is not necessary if it's ok with me that everything will get send over ipsec tunnel, which is perfectly ok.
> 
> Is there anything else I have to do to sent network traffice over ipsec tunnel? Does strongswan does not configure routes automatically? Is it a simple misconfiguration?
> 
> I have the following setup:
> VPN-Router (proprietary, IKEv2, 217.xxx.xxx.xxx) <----- WAN -----> Linux (debian on qubes OS) client with strongswan 5.8.1-1 (10.137.0.10)
> 
> Strongswan config file:
> conn vpn-ikev2
>         auto=route
>         ike=aes256-sha256-sha512-modp4096!
>         esp=aes256-sha256-sha512-modp4096!
>         right=217.xxx.xxx.xxx
>         rightid="O=Foo Company,CN=217.86.xxx.xxx"
>         rightsubnet=0.0.0.0/0
>         rightauth=pubkey
>         rightca=217.xxx.xxx.xxx
>         rightcert=/etc/ipsec.d/certs/Foo_CA_IME.crt
>         leftid="O=Foo Company,CN=Foo VPN USER"
>         leftsourceip=%config
>         leftauth=pubkey
>         leftca="O=Foo Company,CN=Foo CA IME"
>         leftcert=/etc/ipsec.d/certs/Foo_VPN_User.crt
> 
> Output from vpn connection initialisation:
> [..]
> IKE_SA vpn-ikev2[1] established between 10.137.0.10[O=Foo Company, CN=Foo USER]...217.xxx.xxx.xxx[O=Foo Company, CN=217.xxx.xxx.xxx]
> scheduling reauthentication in 9961s
> maximum IKE_SA lifetime 10501s
> installing DNS server 192.168.10.1 to /etc/resolv.conf
> installing DNS server 192.168.10.52 to /etc/resolv.conf
> installing new virtual IP 192.168.10.205
> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
> CHILD_SA vpn-ikev2{2} established with SPIs cc3c6e40_i 0b663ca1_o and TS 192.168.10.205/32 === 0.0.0.0/0
> connection 'vpn-ikev2' established successfully
> 
> Following iptable rules are set up (are these really necessary? In my opinion this is just the case for a gateway):
> iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -j MASQUERADE
> iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
> 
> Ping:
> ping 192.168.10.205 (my virtual ip in private network)
> PING 192.168.10.205 (192.168.10.205) 56(84) bytes of data.
> 64 bytes from 192.168.10.205: icmp_seq=1 ttl=64 time=0.041 ms
> 64 bytes from 192.168.10.205: icmp_seq=2 ttl=64 time=0.041 ms
> 64 bytes from 192.168.10.205: icmp_seq=3 ttl=64 time=0.041 ms
> 64 bytes from 192.168.10.205: icmp_seq=4 ttl=64 time=0.044 ms
> ^C
> --- 192.168.10.205 ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 58ms
> rtt min/avg/max/mdev = 0.041/0.041/0.044/0.008 ms
> 
> ping 192.168.10.1 (one of two dns servers in private network)
> PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
> ^C
> --- 192.168.10.1 ping statistics ---
> 7 packets transmitted, 0 received, 100% packet loss, time 188ms
> 
> ping 8.8.8.8 (something in WAN)
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=72.4 ms
> 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=38.4 ms
> 64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=41.7 ms
> 64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=39.6 ms
> ^C
> --- 8.8.8.8 ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 8ms
> rtt min/avg/max/mdev = 38.420/48.019/72.374/14.111 ms
> 
> What did I do wrong? Could it be a problem that I installed strongswan inside a virtual machine?
> I am thankful for every kind of help.
> 
> Regards,
> Bluesky787

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191106/60f26baf/attachment.sig>


More information about the Users mailing list