[strongSwan] Problem with tunnel half-working

Bertucci Roberto Roberto.Bertucci at itdsolutions.it
Thu Oct 31 16:20:16 CET 2019


Hi Noel that fixed the problem.

First i disabled permanently ufw and then added rule you specified.
In that way SiteA was able to reach SiteB but SiteB was no more able to reach SiteA.
After adding a new forward rule for SiteB LAN everything is working

This is how iptables-save looks like:
# Generated by iptables-save v1.8.3 on Thu Oct 31 14:59:53 2019
*nat
:PREROUTING ACCEPT [40:3415]
:INPUT ACCEPT [1:64]
:OUTPUT ACCEPT [5:429]
:POSTROUTING ACCEPT [2:131]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT.               <----- new rule
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT
# Completed on Thu Oct 31 14:59:53 2019
# Generated by iptables-save v1.8.3 on Thu Oct 31 14:59:53 2019
*filter
:INPUT DROP [7:272]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [160:20968]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens4 -j ACCEPT
-A INPUT -i ens3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i ens4 -o ens3 -j ACCEPT
-A FORWARD -i ens3 -o ens4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/23 -i ens3 -j ACCEPT		 <----- new rule
COMMIT
# Completed on Thu Oct 31 14:59:53 2019

Thank you for your help.

Roberto


Il giorno 31/10/19, 14:19 "Noel Kuntze" <noel.kuntze+strongswan-users-ml at thermi.consulting> ha scritto:

    Hello Roberto,
    
    This iptables rules is the cause of the problem:
    -A POSTROUTING -o ens3 -j MASQUERADE
    Add the following rule on top:
    -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
    
    Am 31.10.19 um 14:06 schrieb Bertucci Roberto:
    > Thank you for your answer, here it is requested output.
    > 
    > # Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
    > *nat
    > :PREROUTING ACCEPT [4751:549595]
    > :INPUT ACCEPT [2337:146691]
    > :OUTPUT ACCEPT [156:11302]
    > :POSTROUTING ACCEPT [29:2308]
    > -A POSTROUTING -o ens3 -j MASQUERADE
    > COMMIT
    > # Completed on Thu Oct 31 13:05:37 2019
    > # Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
    > *filter
    > :INPUT ACCEPT [2260:129224]
    > :FORWARD ACCEPT [0:0]
    > :OUTPUT ACCEPT [111797:10736526]
    > -A INPUT -i lo -j ACCEPT
    > -A INPUT -i ens4 -j ACCEPT
    > -A INPUT -i ens3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    > -A FORWARD -i ens4 -o ens3 -j ACCEPT
    > -A FORWARD -i ens3 -o ens4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    > COMMIT
    > # Completed on Thu Oct 31 13:05:37 2019
    > 
    > 
    > 
    > Il giorno 31/10/19, 13:35 "Noel Kuntze" <noel.kuntze+strongswan-users-ml at thermi.consulting> ha scritto:
    > 
    >     Hello Roberto,
    >     
    >     Please provide the output of `iptables-save`.
    >     
    >     Kind regards
    >     
    >     Noel
    >     
    >     Am 30.10.19 um 23:46 schrieb Bertucci Roberto:
    >     > Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.
    >     > 
    >     > Site A is the one with StrongSwan server and Site B is the one with ASA.
    >     > 
    >     > Site A is Ubuntu 19.10
    >     > 
    >     >  
    >     > 
    >     > Ipsec tunnel raises up and stays up nicely.
    >     > 
    >     >  
    >     > 
    >     > Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn the gateway router nats with YYY.YYY.YYY.YYY address.
    >     > 
    >     > Site B internal network is 192.168.0.0/23
    >     > 
    >     >  
    >     > 
    >     > This ping works:
    >     > 
    >     > 192.168.1.XXX -à10.0.1.YYYY
    >     > 
    >     >  
    >     > 
    >     > This ping does not work:
    >     > 
    >     > 10.0.1.YYYY -à192.168.1.XXX
    >     > 
    >     >  
    >     > 
    >     > If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are routed through internet connection and not through tunnel.
    >     > 
    >     >  
    >     > 
    >     > These are configuration and system status of StrongSwan server.
    >     > 
    >     >  
    >     > 
    >     > ==== sysctl.conf ====
    >     > 
    >     > net.ipv4.ip_forward=1
    >     > 
    >     > net.ipv4.conf.all.accept_redirects =0
    >     > 
    >     > net.ipv4.conf.all.send_redirects =0
    >     > 
    >     >  
    >     > 
    >     > ==== strongswan.conf ====
    >     > 
    >     > charon {
    >     > 
    >     >        load_modular = yes
    >     > 
    >     >        #install_routes = no
    >     > 
    >     >        plugins {
    >     > 
    >     >              include strongswan.d/charon/*.conf
    >     > 
    >     >        }
    >     > 
    >     > }
    >     > 
    >     >  
    >     > 
    >     > ==== ipsec.conf ====
    >     > 
    >     > config setup
    >     > 
    >     >         #charondebug="all 2"
    >     > 
    >     >         charondebug="cfg 2"
    >     > 
    >     >         uniqueids=yes
    >     > 
    >     >         strictcrlpolicy=no
    >     > 
    >     >  
    >     > 
    >     > conn %default
    >     > 
    >     >         ikelifetime=1440m
    >     > 
    >     >         keylife=60m
    >     > 
    >     >         rekeymargin=3m
    >     > 
    >     >         keyingtries=1
    >     > 
    >     >         keyexchange=ikev1
    >     > 
    >     >         authby=secret
    >     > 
    >     >  
    >     > 
    >     > conn spc-to-varazze
    >     > 
    >     >        left=10.0.0.100
    >     > 
    >     >        #leftfirewall=yes
    >     > 
    >     >        leftsubnet=10.0.1.0/24
    >     > 
    >     >        right=XXX.XXX.XXX.XXX
    >     > 
    >     >        rightsubnet=192.168.0.0/23
    >     > 
    >     >        auto=start
    >     > 
    >     >        ike=aes256-sha1-modp1024
    >     > 
    >     >        esp=aes256-sha1-modp1024
    >     > 
    >     >  
    >     > 
    >     > ==== xfrm status ====
    >     > 
    >     > root at router:/etc# ip -s xfrm state
    >     > 
    >     > src 10.0.0.100 dst XXX.XXX.XXX.XXX
    >     > 
    >     >        proto esp spi 0x6a05615e(1778737502) reqid 1(0x00000001) mode tunnel
    >     > 
    >     >        replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
    >     > 
    >     >        auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 bits) 96
    >     > 
    >     >        enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)
    >     > 
    >     >        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    >     > 
    >     >        anti-replay context: seq 0x0, oseq 0x529, bitmap 0x00000000
    >     > 
    >     >        lifetime config:
    >     > 
    >     >          limit: soft (INF)(bytes), hard (INF)(bytes)
    >     > 
    >     >          limit: soft (INF)(packets), hard (INF)(packets)
    >     > 
    >     >          expire add: soft 3414(sec), hard 3600(sec)
    >     > 
    >     >          expire use: soft 0(sec), hard 0(sec)
    >     > 
    >     >        lifetime current:
    >     > 
    >     >          79260(bytes), 1321(packets)
    >     > 
    >     >          add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
    >     > 
    >     >        stats:
    >     > 
    >     >          replay-window 0 replay 0 failed 0
    >     > 
    >     > src XXX.XXX.XXX.XXX dst 10.0.0.100
    >     > 
    >     >        proto esp spi 0xcf6665c0(3479594432) reqid 1(0x00000001) mode tunnel
    >     > 
    >     >        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    >     > 
    >     >        auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 bits) 96
    >     > 
    >     >        enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)
    >     > 
    >     >        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    >     > 
    >     >        anti-replay context: seq 0x529, oseq 0x0, bitmap 0xffffffff
    >     > 
    >     >        lifetime config:
    >     > 
    >     >          limit: soft (INF)(bytes), hard (INF)(bytes)
    >     > 
    >     >          limit: soft (INF)(packets), hard (INF)(packets)
    >     > 
    >     >          expire add: soft 3407(sec), hard 3600(sec)
    >     > 
    >     >          expire use: soft 0(sec), hard 0(sec)
    >     > 
    >     >        lifetime current:
    >     > 
    >     >          79260(bytes), 1321(packets)
    >     > 
    >     >          add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
    >     > 
    >     >        stats:
    >     > 
    >     >          replay-window 0 replay 0 failed 0
    >     > 
    >     >  
    >     > 
    >     > ==== iptables and ufw status ====
    >     > 
    >     > root at router:/etc# iptables -L
    >     > 
    >     > Chain INPUT (policy ACCEPT)
    >     > 
    >     > target     prot opt source               destination         
    >     > 
    >     > ACCEPT     all  --  anywhere             anywhere            
    >     > 
    >     > ACCEPT     all  --  anywhere             anywhere            
    >     > 
    >     > ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    >     > 
    >     >  
    >     > 
    >     > Chain FORWARD (policy ACCEPT)
    >     > 
    >     > target     prot opt source               destination         
    >     > 
    >     > ACCEPT     all  --  anywhere             anywhere            
    >     > 
    >     > ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    >     > 
    >     >  
    >     > 
    >     > Chain OUTPUT (policy ACCEPT)
    >     > 
    >     > target     prot opt source               destination         
    >     > 
    >     > root at router:/etc# ufw status
    >     > 
    >     > Status: inactive
    >     > 
    >     > r
    >     > 
    >     >  
    >     > 
    >     > I’ve done a lot of searches but no one of the aswers i found was useful.
    >     > 
    >     >  
    >     > 
    >     > Any help/suggestion will be welcome.
    >     > 
    >     >  
    >     > 
    >     > RB
    >     > 
    >     >  
    >     > 
    >     
    >     
    > 
    
    



More information about the Users mailing list