[strongSwan] connecting Linux Centos Box to Amazon VPC
Edvinas Kairys
edvinas.email at gmail.com
Sat May 1 23:49:40 CEST 2021
uodate 3:
seems changing xmark from INPUT chain to PREROUTING - did not help. Packets
are still no matched, but everything works.
Maybe newer Linux versions (CentOS Linux release 7.7) already maps MARKs
automatically ?
On Sat, May 1, 2021 at 11:06 PM Edvinas Kairys <edvinas.email at gmail.com>
wrote:
> as I digged more - it could be due to the marking configured not on the
> PREROUTING, but on INPUT chain. On Monday i will try to change the marking
> to PREROUTING chain.
>
> Also, it's interesting why the connection works if INPUT chain marking
> doesnt..
>
> On Sat, May 1, 2021 at 10:39 PM Edvinas Kairys <edvinas.email at gmail.com>
> wrote:
>
>> Hello, (sorry, resend to all)
>>
>> Thanks for opportunity to remind myself the processing order of Linux
>> iptables. The tables are here, i;'ve bolded the places where 37.37.37.37
>> (my linux host) can be matched. As the theory says - Linux firstly consults
>> mange input chain, and only after that the filter table.
>>
>> So in mangle input we have that set-xmark thing where no matching occurs.
>> Later in filter table i've had made some 'protection' entries to allow only
>> Ipsec traffic to that IP address. Do you think that those entries on filter
>> table can be the reason that mangle table entries is not matched ? As i
>> understand it shouldnt be the case - because that filter table rulles just
>> accepts the packet.
>>
>> Anyhow, how it supposes to work if no match is occuring ?
>>
>> Thanks !
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *# Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>> 2021*raw:PREROUTING ACCEPT [8243685689:8795975227546]:OUTPUT ACCEPT
>> [2553871359:2092598753320]COMMIT# Completed on Sat May 1 20:43:46 2021#
>> Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>> 2021*security:INPUT ACCEPT [5496114822:5333472174263]:FORWARD ACCEPT
>> [2747543338:3462497328147]:OUTPUT ACCEPT [2553871359:2092598753320]COMMIT#
>> Completed on Sat May 1 20:43:46 2021# Generated by iptables-save v1.4.21
>> on Sat May 1 20:43:46 2021*mangle:PREROUTING ACCEPT
>> [8243685131:8795975030291]:INPUT ACCEPT [5496114395:5333471981784]:FORWARD
>> ACCEPT [2747543338:3462497328147]:OUTPUT ACCEPT
>> [2553870669:2092598540842]:POSTROUTING ACCEPT [5354687244:5605322818820]-A
>> INPUT -s 18.138.204.63/32 <http://18.138.204.63/32> -d 37.37.37.37/32
>> <http://37.37.37.37/32> -p esp -j MARK --set-xmark 0x64/0xffffffff-A INPUT
>> -s 54.169.121.249/32 <http://54.169.121.249/32> -d 37.37.37.37/32
>> <http://37.37.37.37/32> -p esp -j MARK --set-xmark 0xc8/0xffffffff-A
>> FORWARD -o VTI_awssg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
>> --clamp-mss-to-pmtu-A FORWARD -o VTI_awssg2 -p tcp -m tcp --tcp-flags
>> SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtuCOMMIT# Completed on Sat May 1
>> 20:43:46 2021# Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>> 2021*nat:PREROUTING ACCEPT [2301275:280879334]:INPUT ACCEPT
>> [10207:14377342]:OUTPUT ACCEPT [6610:19206827]:POSTROUTING ACCEPT
>> [2292533:266606871]-A PREROUTING -p tcp -m tcp --dport 1266 -j DNAT
>> --to-destination 169.254.0.1:443 <http://169.254.0.1:443>-A POSTROUTING -s
>> 10.130.0.0/16 <http://10.130.0.0/16> -d 10.130.0.0/16
>> <http://10.130.0.0/16> -o GRE_+ -m comment --comment
>> 400_exclude_change_dc_source -j ACCEPT-A POSTROUTING -s 10.130.0.0/16
>> <http://10.130.0.0/16> -d 10.0.0.0/8 <http://10.0.0.0/8> -o GRE_+ -m
>> comment --comment 450_change_dc_source -j SNAT --to-source 10.254.2.252-A
>> POSTROUTING -d 169.254.0.1/32 <http://169.254.0.1/32> -p tcp -m tcp --dport
>> 443 -j SNAT --to-source 169.254.0.2COMMIT# Completed on Sat May 1 20:43:46
>> 2021# Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>> 2021*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
>> [304442349:255435349641]:OS2iDRAC - [0:0]-A INPUT -d 37.37.37.37/32
>> <http://37.37.37.37/32> -m comment --comment 000 -m policy --dir in --pol
>> ipsec -j ACCEPT-A INPUT -d 37.37.37.37/32 <http://37.37.37.37/32> -p esp -m
>> comment --comment 001 -j ACCEPT-A INPUT -d 37.37.37.37/32
>> <http://37.37.37.37/32> -p udp -m multiport --sports 500 -m multiport
>> --dports 500 -m comment --comment 002 -j ACCEPT-A INPUT -d 37.37.37.37/32
>> <http://37.37.37.37/32> -p udp -m multiport --sports 4500 -m multiport
>> --dports 4500 -m comment --comment 003 -j ACCEPT-A INPUT -d 37.37.37.37/32
>> <http://37.37.37.37/32> -p icmp -m comment --comment 004 -j ACCEPT-A INPUT
>> -d 37.37.37.37/32 <http://37.37.37.37/32> -m comment --comment 005 -j
>> DROP-A INPUT -m comment --comment 006 -j ACCEPT-A FORWARD -o GRE_+ -p tcp
>> -m tcp --tcp-flags SYN,RST SYN -m comment --comment "6.5_set_tcp_mss" -m
>> tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360-A FORWARD -m comment
>> --comment 007 -j ACCEPTCOMMIT# Completed on Sat May 1 20:43:46 2021*
>>
>>
>>
>> On Sat, May 1, 2021 at 1:51 PM Noel Kuntze
>> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>
>>> Hi,
>>>
>>> Provide output of iptables-save please.
>>>
>>> Kind regards
>>> Noel
>>>
>>> Am 01.05.21 um 12:43 schrieb Edvinas Kairys:
>>> > Hello,
>>> >
>>> > I've established BGP connection from my Centos Linux box to Amazon VPC
>>> - using this guide:
>>> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
>>> <
>>> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
>>> >
>>> >
>>> > The only strange thing is that on IPtables mangle table - I don't see
>>> any matches on MARK f-ction which should set a MARK on incomming traffic.
>>> But IPSEC is still working (at least for now) don't know is it something i
>>> need to take care of or no.:
>>> >
>>> > |pkts bytes target prot opt in out source destination Chain INPUT
>>> (policy ACCEPT 207M packets, 207G bytes) pkts bytes target prot opt in out
>>> source destination ||*_0 0 MARK_*||__ esp -- * * xx.xx.204.63 xx.xx.xx.251
>>> MARK set 0x64 __||*_0 0 MARK _*||esp -- * * xx.xx.121.249 xx.xx.xx.251 MARK
>>> set 0xc8 Chain FORWARD (policy ACCEPT 100M packets, 131G bytes) pkts bytes
>>> target prot opt in out source destination 78389 4702K TCPMSS tcp -- *
>>> VTI_awssg1 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>> tcp flags:0x06/0x02 TCPMSS clamp to PMTU 807 48404 TCPMSS tcp -- *
>>> VTI_awssg2
>>> 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
>>> flags:0x06/0x02 TCPMSS clamp to PMTU Chain OUTPUT (policy ACCEPT 90M
>>> packets, 73G bytes) pkts bytes target prot opt in out source destination
>>> Chain POSTROUTING (policy ACCEPT 192M packets, 205G bytes) pkts bytes
>>> target prot opt in
>>> out source destination |
>>> >
>>> > Any ideas ? Thanks.
>>> >
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210502/42e1f2ce/attachment-0001.html>
More information about the Users
mailing list