[strongSwan] Problem with tunnel half-working
Bertucci Roberto
Roberto.Bertucci at itdsolutions.it
Thu Oct 31 16:20:16 CET 2019
Hi Noel that fixed the problem.
First i disabled permanently ufw and then added rule you specified.
In that way SiteA was able to reach SiteB but SiteB was no more able to reach SiteA.
After adding a new forward rule for SiteB LAN everything is working
This is how iptables-save looks like:
# Generated by iptables-save v1.8.3 on Thu Oct 31 14:59:53 2019
*nat
:PREROUTING ACCEPT [40:3415]
:INPUT ACCEPT [1:64]
:OUTPUT ACCEPT [5:429]
:POSTROUTING ACCEPT [2:131]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT. <----- new rule
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT
# Completed on Thu Oct 31 14:59:53 2019
# Generated by iptables-save v1.8.3 on Thu Oct 31 14:59:53 2019
*filter
:INPUT DROP [7:272]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [160:20968]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens4 -j ACCEPT
-A INPUT -i ens3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i ens4 -o ens3 -j ACCEPT
-A FORWARD -i ens3 -o ens4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/23 -i ens3 -j ACCEPT <----- new rule
COMMIT
# Completed on Thu Oct 31 14:59:53 2019
Thank you for your help.
Roberto
Il giorno 31/10/19, 14:19 "Noel Kuntze" <noel.kuntze+strongswan-users-ml at thermi.consulting> ha scritto:
Hello Roberto,
This iptables rules is the cause of the problem:
-A POSTROUTING -o ens3 -j MASQUERADE
Add the following rule on top:
-A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
Am 31.10.19 um 14:06 schrieb Bertucci Roberto:
> Thank you for your answer, here it is requested output.
>
> # Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
> *nat
> :PREROUTING ACCEPT [4751:549595]
> :INPUT ACCEPT [2337:146691]
> :OUTPUT ACCEPT [156:11302]
> :POSTROUTING ACCEPT [29:2308]
> -A POSTROUTING -o ens3 -j MASQUERADE
> COMMIT
> # Completed on Thu Oct 31 13:05:37 2019
> # Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
> *filter
> :INPUT ACCEPT [2260:129224]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [111797:10736526]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i ens4 -j ACCEPT
> -A INPUT -i ens3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i ens4 -o ens3 -j ACCEPT
> -A FORWARD -i ens3 -o ens4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Thu Oct 31 13:05:37 2019
>
>
>
> Il giorno 31/10/19, 13:35 "Noel Kuntze" <noel.kuntze+strongswan-users-ml at thermi.consulting> ha scritto:
>
> Hello Roberto,
>
> Please provide the output of `iptables-save`.
>
> Kind regards
>
> Noel
>
> Am 30.10.19 um 23:46 schrieb Bertucci Roberto:
> > Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.
> >
> > Site A is the one with StrongSwan server and Site B is the one with ASA.
> >
> > Site A is Ubuntu 19.10
> >
> >
> >
> > Ipsec tunnel raises up and stays up nicely.
> >
> >
> >
> > Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn the gateway router nats with YYY.YYY.YYY.YYY address.
> >
> > Site B internal network is 192.168.0.0/23
> >
> >
> >
> > This ping works:
> >
> > 192.168.1.XXX -à10.0.1.YYYY
> >
> >
> >
> > This ping does not work:
> >
> > 10.0.1.YYYY -à192.168.1.XXX
> >
> >
> >
> > If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are routed through internet connection and not through tunnel.
> >
> >
> >
> > These are configuration and system status of StrongSwan server.
> >
> >
> >
> > ==== sysctl.conf ====
> >
> > net.ipv4.ip_forward=1
> >
> > net.ipv4.conf.all.accept_redirects =0
> >
> > net.ipv4.conf.all.send_redirects =0
> >
> >
> >
> > ==== strongswan.conf ====
> >
> > charon {
> >
> > load_modular = yes
> >
> > #install_routes = no
> >
> > plugins {
> >
> > include strongswan.d/charon/*.conf
> >
> > }
> >
> > }
> >
> >
> >
> > ==== ipsec.conf ====
> >
> > config setup
> >
> > #charondebug="all 2"
> >
> > charondebug="cfg 2"
> >
> > uniqueids=yes
> >
> > strictcrlpolicy=no
> >
> >
> >
> > conn %default
> >
> > ikelifetime=1440m
> >
> > keylife=60m
> >
> > rekeymargin=3m
> >
> > keyingtries=1
> >
> > keyexchange=ikev1
> >
> > authby=secret
> >
> >
> >
> > conn spc-to-varazze
> >
> > left=10.0.0.100
> >
> > #leftfirewall=yes
> >
> > leftsubnet=10.0.1.0/24
> >
> > right=XXX.XXX.XXX.XXX
> >
> > rightsubnet=192.168.0.0/23
> >
> > auto=start
> >
> > ike=aes256-sha1-modp1024
> >
> > esp=aes256-sha1-modp1024
> >
> >
> >
> > ==== xfrm status ====
> >
> > root at router:/etc# ip -s xfrm state
> >
> > src 10.0.0.100 dst XXX.XXX.XXX.XXX
> >
> > proto esp spi 0x6a05615e(1778737502) reqid 1(0x00000001) mode tunnel
> >
> > replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
> >
> > auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 bits) 96
> >
> > enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)
> >
> > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> >
> > anti-replay context: seq 0x0, oseq 0x529, bitmap 0x00000000
> >
> > lifetime config:
> >
> > limit: soft (INF)(bytes), hard (INF)(bytes)
> >
> > limit: soft (INF)(packets), hard (INF)(packets)
> >
> > expire add: soft 3414(sec), hard 3600(sec)
> >
> > expire use: soft 0(sec), hard 0(sec)
> >
> > lifetime current:
> >
> > 79260(bytes), 1321(packets)
> >
> > add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
> >
> > stats:
> >
> > replay-window 0 replay 0 failed 0
> >
> > src XXX.XXX.XXX.XXX dst 10.0.0.100
> >
> > proto esp spi 0xcf6665c0(3479594432) reqid 1(0x00000001) mode tunnel
> >
> > replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
> >
> > auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 bits) 96
> >
> > enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)
> >
> > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> >
> > anti-replay context: seq 0x529, oseq 0x0, bitmap 0xffffffff
> >
> > lifetime config:
> >
> > limit: soft (INF)(bytes), hard (INF)(bytes)
> >
> > limit: soft (INF)(packets), hard (INF)(packets)
> >
> > expire add: soft 3407(sec), hard 3600(sec)
> >
> > expire use: soft 0(sec), hard 0(sec)
> >
> > lifetime current:
> >
> > 79260(bytes), 1321(packets)
> >
> > add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
> >
> > stats:
> >
> > replay-window 0 replay 0 failed 0
> >
> >
> >
> > ==== iptables and ufw status ====
> >
> > root at router:/etc# iptables -L
> >
> > Chain INPUT (policy ACCEPT)
> >
> > target prot opt source destination
> >
> > ACCEPT all -- anywhere anywhere
> >
> > ACCEPT all -- anywhere anywhere
> >
> > ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
> >
> >
> >
> > Chain FORWARD (policy ACCEPT)
> >
> > target prot opt source destination
> >
> > ACCEPT all -- anywhere anywhere
> >
> > ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
> >
> >
> >
> > Chain OUTPUT (policy ACCEPT)
> >
> > target prot opt source destination
> >
> > root at router:/etc# ufw status
> >
> > Status: inactive
> >
> > r
> >
> >
> >
> > I’ve done a lot of searches but no one of the aswers i found was useful.
> >
> >
> >
> > Any help/suggestion will be welcome.
> >
> >
> >
> > RB
> >
> >
> >
>
>
>
More information about the Users
mailing list