[strongSwan] Help with setup
VTwin Farriers
vtwin at cox.net
Tue Feb 1 14:24:45 CET 2022
Good morning Noel,
Attached below are the various configurations you requested. At this point my config is pretty basic as I attempt to get this working.
The IP addresses of my Work and Home Routers are 192.168.126.254 and 192.168.127.254 respectively. Upon establishing a connection I cannot ping or ssh to either router from the other subnet.
If there's anything else I can provide to aid in diagnosing how I've set this up wrong let me know and I'll try to get it quickly.
Thank you for the assistance,
Mike
----------------------------------------------------------------------
WorkRouter & HomeRouter /etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.conf.lo.disable_ipv6 = 1
net.netfilter.nf_conntrack_helper = 1
----------------------------------------------------------------------
WorkRouter iptables pre-connection:
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i LAN -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i LAN -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o LAN -j ACCEPT
-A OUTPUT -o Internet -j ACCEPT
-A f2b-sshd -j RETURN
COMMIT
# Completed on Tue Feb 1 07:34:10 2022
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022
*nat
:PREROUTING ACCEPT [30:3004]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:88]
-A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -o Internet -j MASQUERADE
COMMIT
# Completed on Tue Feb 1 07:34:10 2022
----------------------------------------------------------------------
WorkRouter post-connection:
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
:f2b-sshd - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i LAN -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i LAN -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o LAN -j ACCEPT
-A OUTPUT -o wlp3s0 -j ACCEPT
-A OUTPUT -o Internet -j ACCEPT
-A f2b-sshd -j RETURN
COMMIT
# Completed on Tue Feb 1 07:49:29 2022
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022
*nat
:PREROUTING ACCEPT [1431:142370]
:INPUT ACCEPT [1:364]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [16:1124]
-A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -o Internet -j MASQUERADE
COMMIT
# Completed on Tue Feb 1 07:49:29 2022
----------------------------------------------------------------------
HomeRouter iptables pre-connection:
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7573850:808120940]
:f2b-sshd - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i LAN -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i LAN -j ACCEPT
-A FORWARD -j DROP
-A f2b-sshd -j RETURN
COMMIT
# Completed on Tue Feb 1 07:36:55 2022
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022
*nat
:PREROUTING ACCEPT [201662:20100360]
:INPUT ACCEPT [130094:8522561]
:POSTROUTING ACCEPT [347066:26292253]
:OUTPUT ACCEPT [395652:30979041]
-A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -o Internet -j MASQUERADE
COMMIT
# Completed on Tue Feb 1 07:36:55 2022
----------------------------------------------------------------------
HomeRouter iptables post-connection:
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7775544:830642656]
:f2b-sshd - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i LAN -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i LAN -j ACCEPT
-A FORWARD -j DROP
-A f2b-sshd -j RETURN
COMMIT
# Completed on Tue Feb 1 07:47:36 2022
# Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022
*nat
:PREROUTING ACCEPT [205511:20493848]
:INPUT ACCEPT [132803:8703437]
:POSTROUTING ACCEPT [353122:26767112]
:OUTPUT ACCEPT [402834:31555865]
-A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -o Internet -j MASQUERADE
COMMIT
# Completed on Tue Feb 1 07:47:36 2022
----------------------------------------------------------------------
WorkRouter swanctl.conf:
connections {
homenet {
version=2
mobike=no
fragmentation=yes
local_addrs=Work.Public.IP.Address
remote_addrs=Home.Public.IP.Address
proposals=aes256-sha1-modp1024
local {
auth = psk
}
remote {
auth = psk
}
children {
homenet {
esp_proposals=aes256-sha1
remote_ts=192.168.127.0/24
local_ts=192.168.126.0/24
updown=/usr/libexec/strongswan/_updown iptables
}
}
}
}
HomeRouter swanctl.conf:
worknet {
version=2
mobike=no
fragmentation=yes
local_addrs=Home.Public.IP.Address
remote_addrs=Work.Public.IP.Address
proposals=aes256-sha1-modp1024
local {
auth = psk
}
remote {
auth = psk
}
children {
worknet {
esp_proposals=aes256-sha1
local_ts=192.168.127.0/24
remote_ts=192.168.126.0/24
updown=/usr/libexec/strongswan/_updown iptables
}
}
}
Connection from HomeRouter to WorkRouter:
swanctl --initiate --ike worknet --child worknet
[IKE] initiating IKE_SA worknet[5] to Work.Public.IP.Address
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (336 bytes)
[NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (344 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of 'Home.Public.IP.Address' (myself) with pre-shared key
[IKE] establishing CHILD_SA worknet{1}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (220 bytes)
[NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (204 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of 'Work.Public.IP.Address' with pre-shared key successful
[IKE] IKE_SA worknet[5] established between Home.Public.IP.Address[Home.Public.IP.Address]...Work.Public.IP.Address[Work.Public.IP.Address]
[IKE] scheduling rekeying in 14047s
[IKE] maximum IKE_SA lifetime 15487s
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA worknet{1} established with SPIs ca677689_i c43a2311_o and TS 192.168.127.0/24 === 192.168.126.0/24
initiate completed successfully
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220201/319fdaff/attachment-0001.html>
More information about the Users
mailing list