[strongSwan] Help with setup

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Feb 1 17:46:16 CET 2022


Hi

>From my own understanding (i maybe wrong) of your configs applied...i
believe there is a "missing" permit rule for ESP in the INPUT chain of your
iptables/firewall rules

Try with adding to running config as below, above the drop rule

iptables -I INPUT 1 -p esp -i <ens01> -j ACCEPT

and no harm in adding a similar rule in OUTPUT chain too

iptables -I OUTPUT 1 -p esp -i <ens01> -j ACCEPT

---------------------------------------------------------------------------
or a more complete rule-set would be as below (to be applied on both
ipsec-gateways)


iptables -I INPUT 1 -i <Internet> -p esp -j ACCEPT
iptables -I INPUT 2 -i <Internet> -p udp -m udp --dport 500 -j ACCEPT
iptables -I INPUT 3 -i <Internet> -p udp -m udp --dport 4500 -j ACCEPT
iptables -I INPUT 4 -p tcp -m multiport --dports 22 -j f2b-sshd
iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -I INPUT 6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i LAN -j ACCEPT
iptables -A INPUT -j DROP

iptables -I OUTPUT 1 -p esp -j ACCEPT
iptables -I OUTPUT 2 -p udp -m udp --dport 500 -j ACCEPT
iptables -I OUTPUT 3 -p udp -m udp --dport 4500 -j ACCEPT
iptables -I OUTPUT 4 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Note: "Internet" interface mentioned is to be replaced with your actual
wan/internet/public interface of the gateway

-----------------------------------------------------------------------------

regards



On Tue, Feb 1, 2022 at 6:54 PM VTwin Farriers <vtwin at cox.net> wrote:

>
> Good morning Noel,
>
> Attached below are the various configurations you requested. At this point
> my config is pretty basic as I attempt to get this working.
>
> The IP addresses of my Work and Home Routers are 192.168.126.254 and
> 192.168.127.254 respectively. Upon establishing a connection I cannot ping
> or ssh to either router from the other subnet.
>
> If there's anything else I can provide to aid in diagnosing how I've set
> this up wrong let me know and I'll try to get it quickly.
>
> Thank you for the assistance,
>
> Mike
>
>
> ----------------------------------------------------------------------
>
> WorkRouter & HomeRouter /etc/sysctl.conf:
>
> net.ipv4.ip_forward = 1
> net.ipv6.conf.all.forwarding = 0
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1
> net.conf.lo.disable_ipv6 = 1
> net.netfilter.nf_conntrack_helper = 1
>
> ----------------------------------------------------------------------
>
> WorkRouter iptables pre-connection:
>
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :f2b-sshd - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i LAN -j ACCEPT
> -A INPUT -j DROP
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i LAN -j ACCEPT
> -A FORWARD -j DROP
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o LAN -j ACCEPT
> -A OUTPUT -o Internet -j ACCEPT
> -A f2b-sshd -j RETURN
> COMMIT
> # Completed on Tue Feb 1 07:34:10 2022
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022
> *nat
> :PREROUTING ACCEPT [30:3004]
> :INPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [1:88]
> -A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol
> ipsec -j ACCEPT
> -A POSTROUTING -o Internet -j MASQUERADE
> COMMIT
> # Completed on Tue Feb 1 07:34:10 2022
>
> ----------------------------------------------------------------------
>
> WorkRouter post-connection:
>
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :LOGGING - [0:0]
> :f2b-sshd - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i LAN -j ACCEPT
> -A INPUT -j DROP
> -A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -i Internet -m policy
> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -o Internet -m policy
> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i LAN -j ACCEPT
> -A FORWARD -j DROP
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o LAN -j ACCEPT
> -A OUTPUT -o wlp3s0 -j ACCEPT
> -A OUTPUT -o Internet -j ACCEPT
> -A f2b-sshd -j RETURN
> COMMIT
> # Completed on Tue Feb 1 07:49:29 2022
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022
> *nat
> :PREROUTING ACCEPT [1431:142370]
> :INPUT ACCEPT [1:364]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [16:1124]
> -A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol
> ipsec -j ACCEPT
> -A POSTROUTING -o Internet -j MASQUERADE
> COMMIT
> # Completed on Tue Feb 1 07:49:29 2022
>
> ----------------------------------------------------------------------
>
> HomeRouter iptables pre-connection:
>
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [7573850:808120940]
> :f2b-sshd - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i LAN -j ACCEPT
> -A INPUT -j DROP
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i LAN -j ACCEPT
> -A FORWARD -j DROP
> -A f2b-sshd -j RETURN
> COMMIT
> # Completed on Tue Feb 1 07:36:55 2022
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022
> *nat
> :PREROUTING ACCEPT [201662:20100360]
> :INPUT ACCEPT [130094:8522561]
> :POSTROUTING ACCEPT [347066:26292253]
> :OUTPUT ACCEPT [395652:30979041]
> -A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol
> ipsec -j ACCEPT
> -A POSTROUTING -o Internet -j MASQUERADE
> COMMIT
> # Completed on Tue Feb 1 07:36:55 2022
>
> ----------------------------------------------------------------------
>
> HomeRouter iptables post-connection:
>
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [7775544:830642656]
> :f2b-sshd - [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i LAN -j ACCEPT
> -A INPUT -j DROP
> -A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -i Internet -m policy
> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -o Internet -m policy
> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i LAN -j ACCEPT
> -A FORWARD -j DROP
> -A f2b-sshd -j RETURN
> COMMIT
> # Completed on Tue Feb 1 07:47:36 2022
> # Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022
> *nat
> :PREROUTING ACCEPT [205511:20493848]
> :INPUT ACCEPT [132803:8703437]
> :POSTROUTING ACCEPT [353122:26767112]
> :OUTPUT ACCEPT [402834:31555865]
> -A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol
> ipsec -j ACCEPT
> -A POSTROUTING -o Internet -j MASQUERADE
> COMMIT
> # Completed on Tue Feb 1 07:47:36 2022
>
> ----------------------------------------------------------------------
>
> WorkRouter swanctl.conf:
>
> connections {
> homenet {
>  version=2
>  mobike=no
>  fragmentation=yes
>  local_addrs=Work.Public.IP.Address
>  remote_addrs=Home.Public.IP.Address
>  proposals=aes256-sha1-modp1024
>  local {
>   auth = psk
>  }
>  remote {
>   auth = psk
>  }
>  children {
>   homenet {
>    esp_proposals=aes256-sha1
>    remote_ts=192.168.127.0/24
>    local_ts=192.168.126.0/24
>    updown=/usr/libexec/strongswan/_updown iptables
>    }
>   }
>  }
> }
>
> HomeRouter swanctl.conf:
>
> worknet {
>  version=2
>  mobike=no
>  fragmentation=yes
>  local_addrs=Home.Public.IP.Address
>  remote_addrs=Work.Public.IP.Address
>  proposals=aes256-sha1-modp1024
>  local {
>   auth = psk
>  }
>  remote {
>   auth = psk
>  }
>  children {
>   worknet {
>    esp_proposals=aes256-sha1
>    local_ts=192.168.127.0/24
>    remote_ts=192.168.126.0/24
>    updown=/usr/libexec/strongswan/_updown iptables
>   }
>  }
> }
>
>
> Connection from HomeRouter to WorkRouter:
>
> swanctl --initiate --ike worknet --child worknet
> [IKE] initiating IKE_SA worknet[5] to Work.Public.IP.Address
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from Home.Public.IP.Address[500] to
> Work.Public.IP.Address[500] (336 bytes)
> [NET] received packet: from Work.Public.IP.Address[500] to
> Home.Public.IP.Address[500] (344 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
> [CFG] selected proposal:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> [CFG] no IDi configured, fall back on IP address
> [IKE] authentication of 'Home.Public.IP.Address' (myself) with pre-shared
> key
> [IKE] establishing CHILD_SA worknet{1}
> [ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH)
> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [NET] sending packet: from Home.Public.IP.Address[500] to
> Work.Public.IP.Address[500] (220 bytes)
> [NET] received packet: from Work.Public.IP.Address[500] to
> Home.Public.IP.Address[500] (204 bytes)
> [ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
> [IKE] authentication of 'Work.Public.IP.Address' with pre-shared key
> successful
> [IKE] IKE_SA worknet[5] established between
> Home.Public.IP.Address[Home.Public.IP.Address]...Work.Public.IP.Address[Work.Public.IP.Address]
> [IKE] scheduling rekeying in 14047s
> [IKE] maximum IKE_SA lifetime 15487s
> [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
> [IKE] CHILD_SA worknet{1} established with SPIs ca677689_i c43a2311_o and
> TS 192.168.127.0/24 === 192.168.126.0/24
> initiate completed successfully
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220201/a9c95bbe/attachment-0001.html>


More information about the Users mailing list