[strongSwan] connecting Linux Centos Box to Amazon VPC
Edvinas Kairys
edvinas.email at gmail.com
Mon May 3 16:57:54 CEST 2021
So as i digged more - one question is answered, it doesn't match the ESP
mark rule because StrongSwan for some reason is using NAT-T with AWS. So
thats why it doesn't match protocol 50.
so one question remains - do that iptables mark entries should exists at
all ? and what's the function of them. The more i dig, the more I think
it's not needed. I would be grateful if someone would reassure me. Maybe
it was needed for some extra features ?
On Sun, May 2, 2021 at 12:49 AM Edvinas Kairys <edvinas.email at gmail.com>
wrote:
> uodate 3:
>
> seems changing xmark from INPUT chain to PREROUTING - did not help.
> Packets are still no matched, but everything works.
>
> Maybe newer Linux versions (CentOS Linux release 7.7) already maps MARKs
> automatically ?
>
> On Sat, May 1, 2021 at 11:06 PM Edvinas Kairys <edvinas.email at gmail.com>
> wrote:
>
>> as I digged more - it could be due to the marking configured not on the
>> PREROUTING, but on INPUT chain. On Monday i will try to change the marking
>> to PREROUTING chain.
>>
>> Also, it's interesting why the connection works if INPUT chain marking
>> doesnt..
>>
>> On Sat, May 1, 2021 at 10:39 PM Edvinas Kairys <edvinas.email at gmail.com>
>> wrote:
>>
>>> Hello, (sorry, resend to all)
>>>
>>> Thanks for opportunity to remind myself the processing order of Linux
>>> iptables. The tables are here, i;'ve bolded the places where 37.37.37.37
>>> (my linux host) can be matched. As the theory says - Linux firstly consults
>>> mange input chain, and only after that the filter table.
>>>
>>> So in mangle input we have that set-xmark thing where no matching
>>> occurs. Later in filter table i've had made some 'protection' entries to
>>> allow only Ipsec traffic to that IP address. Do you think that those
>>> entries on filter table can be the reason that mangle table entries is not
>>> matched ? As i understand it shouldnt be the case - because that filter
>>> table rulles just accepts the packet.
>>>
>>> Anyhow, how it supposes to work if no match is occuring ?
>>>
>>> Thanks !
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *# Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>>> 2021*raw:PREROUTING ACCEPT [8243685689:8795975227546]:OUTPUT ACCEPT
>>> [2553871359:2092598753320]COMMIT# Completed on Sat May 1 20:43:46 2021#
>>> Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>>> 2021*security:INPUT ACCEPT [5496114822:5333472174263]:FORWARD ACCEPT
>>> [2747543338:3462497328147]:OUTPUT ACCEPT [2553871359:2092598753320]COMMIT#
>>> Completed on Sat May 1 20:43:46 2021# Generated by iptables-save v1.4.21
>>> on Sat May 1 20:43:46 2021*mangle:PREROUTING ACCEPT
>>> [8243685131:8795975030291]:INPUT ACCEPT [5496114395:5333471981784]:FORWARD
>>> ACCEPT [2747543338:3462497328147]:OUTPUT ACCEPT
>>> [2553870669:2092598540842]:POSTROUTING ACCEPT [5354687244:5605322818820]-A
>>> INPUT -s 18.138.204.63/32 <http://18.138.204.63/32> -d 37.37.37.37/32
>>> <http://37.37.37.37/32> -p esp -j MARK --set-xmark 0x64/0xffffffff-A INPUT
>>> -s 54.169.121.249/32 <http://54.169.121.249/32> -d 37.37.37.37/32
>>> <http://37.37.37.37/32> -p esp -j MARK --set-xmark 0xc8/0xffffffff-A
>>> FORWARD -o VTI_awssg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
>>> --clamp-mss-to-pmtu-A FORWARD -o VTI_awssg2 -p tcp -m tcp --tcp-flags
>>> SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtuCOMMIT# Completed on Sat May 1
>>> 20:43:46 2021# Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>>> 2021*nat:PREROUTING ACCEPT [2301275:280879334]:INPUT ACCEPT
>>> [10207:14377342]:OUTPUT ACCEPT [6610:19206827]:POSTROUTING ACCEPT
>>> [2292533:266606871]-A PREROUTING -p tcp -m tcp --dport 1266 -j DNAT
>>> --to-destination 169.254.0.1:443 <http://169.254.0.1:443>-A POSTROUTING -s
>>> 10.130.0.0/16 <http://10.130.0.0/16> -d 10.130.0.0/16
>>> <http://10.130.0.0/16> -o GRE_+ -m comment --comment
>>> 400_exclude_change_dc_source -j ACCEPT-A POSTROUTING -s 10.130.0.0/16
>>> <http://10.130.0.0/16> -d 10.0.0.0/8 <http://10.0.0.0/8> -o GRE_+ -m
>>> comment --comment 450_change_dc_source -j SNAT --to-source 10.254.2.252-A
>>> POSTROUTING -d 169.254.0.1/32 <http://169.254.0.1/32> -p tcp -m tcp --dport
>>> 443 -j SNAT --to-source 169.254.0.2COMMIT# Completed on Sat May 1 20:43:46
>>> 2021# Generated by iptables-save v1.4.21 on Sat May 1 20:43:46
>>> 2021*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
>>> [304442349:255435349641]:OS2iDRAC - [0:0]-A INPUT -d 37.37.37.37/32
>>> <http://37.37.37.37/32> -m comment --comment 000 -m policy --dir in --pol
>>> ipsec -j ACCEPT-A INPUT -d 37.37.37.37/32 <http://37.37.37.37/32> -p esp -m
>>> comment --comment 001 -j ACCEPT-A INPUT -d 37.37.37.37/32
>>> <http://37.37.37.37/32> -p udp -m multiport --sports 500 -m multiport
>>> --dports 500 -m comment --comment 002 -j ACCEPT-A INPUT -d 37.37.37.37/32
>>> <http://37.37.37.37/32> -p udp -m multiport --sports 4500 -m multiport
>>> --dports 4500 -m comment --comment 003 -j ACCEPT-A INPUT -d 37.37.37.37/32
>>> <http://37.37.37.37/32> -p icmp -m comment --comment 004 -j ACCEPT-A INPUT
>>> -d 37.37.37.37/32 <http://37.37.37.37/32> -m comment --comment 005 -j
>>> DROP-A INPUT -m comment --comment 006 -j ACCEPT-A FORWARD -o GRE_+ -p tcp
>>> -m tcp --tcp-flags SYN,RST SYN -m comment --comment "6.5_set_tcp_mss" -m
>>> tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360-A FORWARD -m comment
>>> --comment 007 -j ACCEPTCOMMIT# Completed on Sat May 1 20:43:46 2021*
>>>
>>>
>>>
>>> On Sat, May 1, 2021 at 1:51 PM Noel Kuntze
>>> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>>
>>>> Hi,
>>>>
>>>> Provide output of iptables-save please.
>>>>
>>>> Kind regards
>>>> Noel
>>>>
>>>> Am 01.05.21 um 12:43 schrieb Edvinas Kairys:
>>>> > Hello,
>>>> >
>>>> > I've established BGP connection from my Centos Linux box to Amazon
>>>> VPC - using this guide:
>>>> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
>>>> <
>>>> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
>>>> >
>>>> >
>>>> > The only strange thing is that on IPtables mangle table - I don't see
>>>> any matches on MARK f-ction which should set a MARK on incomming traffic.
>>>> But IPSEC is still working (at least for now) don't know is it something i
>>>> need to take care of or no.:
>>>> >
>>>> > |pkts bytes target prot opt in out source destination Chain INPUT
>>>> (policy ACCEPT 207M packets, 207G bytes) pkts bytes target prot opt in out
>>>> source destination ||*_0 0 MARK_*||__ esp -- * * xx.xx.204.63 xx.xx.xx.251
>>>> MARK set 0x64 __||*_0 0 MARK _*||esp -- * * xx.xx.121.249 xx.xx.xx.251 MARK
>>>> set 0xc8 Chain FORWARD (policy ACCEPT 100M packets, 131G bytes) pkts bytes
>>>> target prot opt in out source destination 78389 4702K TCPMSS tcp -- *
>>>> VTI_awssg1 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
>>>> tcp flags:0x06/0x02 TCPMSS clamp to PMTU 807 48404 TCPMSS tcp -- *
>>>> VTI_awssg2
>>>> 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
>>>> flags:0x06/0x02 TCPMSS clamp to PMTU Chain OUTPUT (policy ACCEPT 90M
>>>> packets, 73G bytes) pkts bytes target prot opt in out source destination
>>>> Chain POSTROUTING (policy ACCEPT 192M packets, 205G bytes) pkts bytes
>>>> target prot opt in
>>>> out source destination |
>>>> >
>>>> > Any ideas ? Thanks.
>>>> >
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210503/bd44538a/attachment.html>
More information about the Users
mailing list