[strongSwan] Help with setup

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Feb 1 22:10:49 CET 2022


Hello,

I would like to add to that comment.

You can replace the whole policy rule with this, then it's covered for any subnet and interface and it's not possible to "miss" so to say.
The check only applies to IPsec protected traffic, but the inverse case where you want to SNAT traffic inside an IPsec tunnel is extremely rare anyway.
So that: -A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT
Just becomes that: -A POSTROUTINg -m policy --pol ipsec --dir out -j ACCEPT

>>     -A INPUT -i lo -j ACCEPT

I advise you to put that rule first. Then you can't accidentally drop any packet on loopback.

>>     -A FORWARD -i lo -j ACCEPT

That rule doesn't make sense.

Regarding your swanctl settings:
Assuming you have no alternative network paths to the remote subnet, you can probably just configure start_action=trap already.

Kind regards
Noel

Am 01.02.22 um 17:46 schrieb Rajiv Kulkarni:
> Hi
> 
>  From my own understanding (i maybe wrong) of your configs applied...i believe there is a "missing" permit rule for ESP in the INPUT chain of your iptables/firewall rules
> 
> Try with adding to running config as below, above the drop rule
> 
> iptables -I INPUT 1 -p esp -i <ens01> -j ACCEPT
> 
> and no harm in adding a similar rule in OUTPUT chain too
> 
> iptables -I OUTPUT 1 -p esp -i <ens01> -j ACCEPT
> 
> ---------------------------------------------------------------------------
> or a more complete rule-set would be as below (to be applied on both ipsec-gateways)
> 
> 
> iptables -I INPUT 1 -i <Internet> -p esp -j ACCEPT
> iptables -I INPUT 2 -i <Internet> -p udp -m udp --dport 500 -j ACCEPT
> iptables -I INPUT 3 -i <Internet> -p udp -m udp --dport 4500 -j ACCEPT
> iptables -I INPUT 4 -p tcp -m multiport --dports 22 -j f2b-sshd
> iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> iptables -I INPUT 6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i LAN -j ACCEPT
> iptables -A INPUT -j DROP
> 
> iptables -I OUTPUT 1 -p esp -j ACCEPT
> iptables -I OUTPUT 2 -p udp -m udp --dport 500 -j ACCEPT
> iptables -I OUTPUT 3 -p udp -m udp --dport 4500 -j ACCEPT
> iptables -I OUTPUT 4 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> 
> Note: "Internet" interface mentioned is to be replaced with your actual wan/internet/public interface of the gateway
> 
> -----------------------------------------------------------------------------
> 
> regards
> 
> 
> 
> On Tue, Feb 1, 2022 at 6:54 PM VTwin Farriers <vtwin at cox.net <mailto:vtwin at cox.net>> wrote:
> 
>     __
> 
> 
>     Good morning Noel,
> 
>     Attached below are the various configurations you requested. At this point my config is pretty basic as I attempt to get this working.
> 
>     The IP addresses of my Work and Home Routers are 192.168.126.254 and 192.168.127.254 respectively. Upon establishing a connection I cannot ping or ssh to either router from the other subnet.
> 
>     If there's anything else I can provide to aid in diagnosing how I've set this up wrong let me know and I'll try to get it quickly.
> 
>     Thank you for the assistance,
> 
>     Mike
> 
> 
>     ----------------------------------------------------------------------
> 
>     WorkRouter & HomeRouter /etc/sysctl.conf:
> 
>     net.ipv4.ip_forward = 1
>     net.ipv6.conf.all.forwarding = 0
>     net.ipv6.conf.all.disable_ipv6 = 1
>     net.ipv6.conf.default.disable_ipv6 = 1
>     net.conf.lo.disable_ipv6 = 1
>     net.netfilter.nf_conntrack_helper = 1
> 
>     ----------------------------------------------------------------------
> 
>     WorkRouter iptables pre-connection:
> 
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022
>     *filter
>     :INPUT ACCEPT [0:0]
>     :FORWARD DROP [0:0]
>     :OUTPUT ACCEPT [0:0]
>     :f2b-sshd - [0:0]
>     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>     -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
>     -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
>     -A INPUT -i lo -j ACCEPT
>     -A INPUT -i LAN -j ACCEPT
>     -A INPUT -j DROP
>     -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>     -A FORWARD -i lo -j ACCEPT
>     -A FORWARD -i LAN -j ACCEPT
>     -A FORWARD -j DROP
>     -A OUTPUT -o lo -j ACCEPT
>     -A OUTPUT -o LAN -j ACCEPT
>     -A OUTPUT -o Internet -j ACCEPT
>     -A f2b-sshd -j RETURN
>     COMMIT
>     # Completed on Tue Feb 1 07:34:10 2022
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022
>     *nat
>     :PREROUTING ACCEPT [30:3004]
>     :INPUT ACCEPT [0:0]
>     :POSTROUTING ACCEPT [0:0]
>     :OUTPUT ACCEPT [1:88]
>     -A POSTROUTING -s 192.168.126.0/24 <http://192.168.126.0/24> -o Internet -m policy --dir out --pol ipsec -j ACCEPT
>     -A POSTROUTING -o Internet -j MASQUERADE
>     COMMIT
>     # Completed on Tue Feb 1 07:34:10 2022
> 
>     ----------------------------------------------------------------------
> 
>     WorkRouter post-connection:
> 
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022
>     *filter
>     :INPUT ACCEPT [0:0]
>     :FORWARD DROP [0:0]
>     :OUTPUT ACCEPT [0:0]
>     :LOGGING - [0:0]
>     :f2b-sshd - [0:0]
>     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>     -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
>     -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
>     -A INPUT -i lo -j ACCEPT
>     -A INPUT -i LAN -j ACCEPT
>     -A INPUT -j DROP
>     -A FORWARD -s 192.168.127.0/24 <http://192.168.127.0/24> -d 192.168.126.0/24 <http://192.168.126.0/24> -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     -A FORWARD -s 192.168.126.0/24 <http://192.168.126.0/24> -d 192.168.127.0/24 <http://192.168.127.0/24> -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>     -A FORWARD -i lo -j ACCEPT
>     -A FORWARD -i LAN -j ACCEPT
>     -A FORWARD -j DROP
>     -A OUTPUT -o lo -j ACCEPT
>     -A OUTPUT -o LAN -j ACCEPT
>     -A OUTPUT -o wlp3s0 -j ACCEPT
>     -A OUTPUT -o Internet -j ACCEPT
>     -A f2b-sshd -j RETURN
>     COMMIT
>     # Completed on Tue Feb 1 07:49:29 2022
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022
>     *nat
>     :PREROUTING ACCEPT [1431:142370]
>     :INPUT ACCEPT [1:364]
>     :POSTROUTING ACCEPT [0:0]
>     :OUTPUT ACCEPT [16:1124]
>     -A POSTROUTING -s 192.168.126.0/24 <http://192.168.126.0/24> -o Internet -m policy --dir out --pol ipsec -j ACCEPT
>     -A POSTROUTING -o Internet -j MASQUERADE
>     COMMIT
>     # Completed on Tue Feb 1 07:49:29 2022
> 
>     ----------------------------------------------------------------------
> 
>     HomeRouter iptables pre-connection:
> 
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022
>     *filter
>     :INPUT ACCEPT [0:0]
>     :FORWARD DROP [0:0]
>     :OUTPUT ACCEPT [7573850:808120940]
>     :f2b-sshd - [0:0]
>     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>     -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
>     -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
>     -A INPUT -i lo -j ACCEPT
>     -A INPUT -i LAN -j ACCEPT
>     -A INPUT -j DROP
>     -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>     -A FORWARD -i lo -j ACCEPT
>     -A FORWARD -i LAN -j ACCEPT
>     -A FORWARD -j DROP
>     -A f2b-sshd -j RETURN
>     COMMIT
>     # Completed on Tue Feb 1 07:36:55 2022
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022
>     *nat
>     :PREROUTING ACCEPT [201662:20100360]
>     :INPUT ACCEPT [130094:8522561]
>     :POSTROUTING ACCEPT [347066:26292253]
>     :OUTPUT ACCEPT [395652:30979041]
>     -A POSTROUTING -s 192.168.127.0/24 <http://192.168.127.0/24> -o Internet -m policy --dir out --pol ipsec -j ACCEPT
>     -A POSTROUTING -o Internet -j MASQUERADE
>     COMMIT
>     # Completed on Tue Feb 1 07:36:55 2022
> 
>     ----------------------------------------------------------------------
> 
>     HomeRouter iptables post-connection:
> 
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022
>     *filter
>     :INPUT ACCEPT [0:0]
>     :FORWARD DROP [0:0]
>     :OUTPUT ACCEPT [7775544:830642656]
>     :f2b-sshd - [0:0]
>     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>     -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
>     -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>     -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
>     -A INPUT -i lo -j ACCEPT
>     -A INPUT -i LAN -j ACCEPT
>     -A INPUT -j DROP
>     -A FORWARD -s 192.168.126.0/24 <http://192.168.126.0/24> -d 192.168.127.0/24 <http://192.168.127.0/24> -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     -A FORWARD -s 192.168.127.0/24 <http://192.168.127.0/24> -d 192.168.126.0/24 <http://192.168.126.0/24> -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>     -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>     -A FORWARD -i lo -j ACCEPT
>     -A FORWARD -i LAN -j ACCEPT
>     -A FORWARD -j DROP
>     -A f2b-sshd -j RETURN
>     COMMIT
>     # Completed on Tue Feb 1 07:47:36 2022
>     # Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022
>     *nat
>     :PREROUTING ACCEPT [205511:20493848]
>     :INPUT ACCEPT [132803:8703437]
>     :POSTROUTING ACCEPT [353122:26767112]
>     :OUTPUT ACCEPT [402834:31555865]
>     -A POSTROUTING -s 192.168.127.0/24 <http://192.168.127.0/24> -o Internet -m policy --dir out --pol ipsec -j ACCEPT
>     -A POSTROUTING -o Internet -j MASQUERADE
>     COMMIT
>     # Completed on Tue Feb 1 07:47:36 2022
> 
>     ----------------------------------------------------------------------
> 
>     WorkRouter swanctl.conf:
> 
>     connections {
>     homenet {
>       version=2
>       mobike=no
>       fragmentation=yes
>       local_addrs=Work.Public.IP.Address
>       remote_addrs=Home.Public.IP.Address
>       proposals=aes256-sha1-modp1024
>       local {
>        auth = psk
>       }
>       remote {
>        auth = psk
>       }
>       children {
>        homenet {
>         esp_proposals=aes256-sha1
>         remote_ts=192.168.127.0/24 <http://192.168.127.0/24>
>         local_ts=192.168.126.0/24 <http://192.168.126.0/24>
>         updown=/usr/libexec/strongswan/_updown iptables
>         }
>        }
>       }
>     }
> 
>     HomeRouter swanctl.conf:
> 
>     worknet {
>       version=2
>       mobike=no
>       fragmentation=yes
>       local_addrs=Home.Public.IP.Address
>       remote_addrs=Work.Public.IP.Address
>       proposals=aes256-sha1-modp1024
>       local {
>        auth = psk
>       }
>       remote {
>        auth = psk
>       }
>       children {
>        worknet {
>         esp_proposals=aes256-sha1
>         local_ts=192.168.127.0/24 <http://192.168.127.0/24>
>         remote_ts=192.168.126.0/24 <http://192.168.126.0/24>
>         updown=/usr/libexec/strongswan/_updown iptables
>        }
>       }
>     }
> 
> 
>     Connection from HomeRouter to WorkRouter:
> 
>     swanctl --initiate --ike worknet --child worknet
>     [IKE] initiating IKE_SA worknet[5] to Work.Public.IP.Address
>     [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>     [NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (336 bytes)
>     [NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (344 bytes)
>     [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
>     [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>     [CFG] no IDi configured, fall back on IP address
>     [IKE] authentication of 'Home.Public.IP.Address' (myself) with pre-shared key
>     [IKE] establishing CHILD_SA worknet{1}
>     [ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>     [NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (220 bytes)
>     [NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (204 bytes)
>     [ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
>     [IKE] authentication of 'Work.Public.IP.Address' with pre-shared key successful
>     [IKE] IKE_SA worknet[5] established between Home.Public.IP.Address[Home.Public.IP.Address]...Work.Public.IP.Address[Work.Public.IP.Address]
>     [IKE] scheduling rekeying in 14047s
>     [IKE] maximum IKE_SA lifetime 15487s
>     [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
>     [IKE] CHILD_SA worknet{1} established with SPIs ca677689_i c43a2311_o and TS 192.168.127.0/24 <http://192.168.127.0/24> === 192.168.126.0/24 <http://192.168.126.0/24>
>     initiate completed successfully
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220201/4ab3a935/attachment-0001.sig>


More information about the Users mailing list