[strongSwan] Request for help with failed GRE-over-IPSec config

Philip Prindeville philipp_subx at redfish-solutions.com
Fri Aug 14 21:27:08 CEST 2020 

That doesn’t seem to make a difference.

What does seem to make a difference is this:

# firewall-cmd --zone=public --add-protocol=gre

Which then causes the firewall to allow the packet through the 2nd time when it gets decapsulated and re-injected.

Not sure why decapsulated packets don’t go through a separate chain on INPUT or FORWARD post decapsulation.



> On Aug 14, 2020, at 12:37 PM, Athmane Bouazzouni <athmane2dz at gmail.com> wrote:
> 
> Hi,
> 
> Did you try adding:
> 
>         installpolicy=yes
>         leftfirewall=yes
> 
> Regards.
> 
> On Fri, Aug 14, 2020 at 2:18 PM Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
> Hi.
> 
> I’m using 64-bit CentOS 8 Stream on a pair of Raspberry Pi4’s as hotspots.
> 
> I’m using a self-signed Cert and derived public certs per this article:
> 
> https://www.howtoforge.com/tutorial/strongswan-based-ipsec-vpn-using-certificates-and-pre-shared-key-on-ubuntu-16-04/
> 
> There’s (hostnames) Pelican2 (gw1) and Pelican1 (gw5).  But I’ll refer to them by their Strongswan configuration names.
> 
> The capture is from gw1, which is at XX.XX.XX.246, and has dummy0 (10.5.28.1/24) as the internal test subnet.
> 
> Gw5 is at XX.XX.XX.245, and has dummy0 (10.5.30.1/24) as the internal test subnet.
> 
> If I try to ping from gw5 to 10.5.28.1 then I get Unreachables.
> 
> If I ping from gw1 to gw5 on 10.5.30.1 then it sometimes works, and I can briefly ping back in the reverse direction (i.e. to 10.5.28.1 from gw5 which previously didn’t work).
> 
> My issues are:
> 
> (1) I can’t confirm that the PING is being encapsulated in GRE, then the GRE goes over IPSec ESP transport mode.
> 
> (2) If that is in fact working, it looks like the decapsulated PING is being rejected by the firewall on gw1, or else there’s a misconfiguration…
> 
> Unlike a Cisco router, which I can set an ACL and do full packet tracing, I’m not sure if there’s an equivalent way to do marking and logging in Linux + NFT in the kernel (because of the known limitations of how BPF interacts with the IPSec stack in Linux).  Any pointers would be appreciated.
> 
> Do I need to set up a “policy” rule that allows incoming decapsulated PING (ICMP Echo Request) packets?
> 
> Are there known issues or additional configuration required to interoperate with firewalld?
> 
> Thanks,
> 
> -Philip
> 
> 
>

More information about the Users mailing list