[strongSwan-dev] Passthrough and Modeconfig

Mon, 26 Jul 2010 13:14:01 -0700 

I've had some success configuring a VPN from a strongSwan gateway (left) to a 
Cisco ASA (right) using leftsourceiup=%modeconfig such that the leftsubnet can 
exchange traffic with the rightsubnet(s) using an SNAT rule on the left gateway 
(NAT'ing leftsubnet addresses to the modeconfig address assigned by the ASA).  
However, this only works when the right subnet is not 0.0.0.0/0 (cf the 
ikev1/passthrough example).  When I specify rightsubnet as 0.0.0.0/0, the flow 
of 'ping' packets is as follows as observed on the left gateway (info obtained 
with '-j LOG' rules in iptables)...

  1) An ICMP echo request appears in the FORWARD chain, coming in the 
left-facing interface.
  2) An ESP packet appears in the OUT chain, coming from the left gateway and 
destined to the ASA via the ASA-facing interface.
  3) An ESP packet appears in the IN chain, coming from the ASA via the 
ASA-facing interface and destined to the left gateway.
  4) An ICMP echo reply appears in the FORWARD chain, coming in the ASA-facing 
interface and also out the same interface.

The last step is the problem.  The FORWARD should be destined for the 
left-facing interface rather than the ASA-facing interface.  This is as if the 
0.0.0.0/0 policy were getting its hands on the ICMP echo reply and attempting 
to send it back to the ASA.

But I have passthrough configured, so this (such is my understanding of 
passthrough) shouldn't be happening.  My ipsec.conf statements...

config setup
    crlcheckinterval=0s
    strictcrlpolicy=no
    charonstart=no
    # Pluto parameters
    nat_traversal=yes
    plutodebug=all

conn %default
    mobike=no
    keyexchange=ikev1
    keyingtries=3
    margintime=3m
    ikelifetime=86400s
    lifetime=3600s
    pfs=no
    authby=pubkey
    ike=aes256-sha1-modp1024
    esp=aes256-sha1
    left=%defaultroute
    right=10.249.0.137
    leftsubnet=192.168.10.0/255.255.255.224

conn net-net 
    leftcert=whbtarget1.cer
    [email protected]
    leftsourceip=%modeconfig
    [email protected]
    rightsubnet=0.0.0.0/0.0.0.0
    lefthostaccess=yes
    auto=start

conn pass
    rightsubnet=192.168.10.0/255.255.255.224
    type=passthrough
    authby=never
    auto=route

The XFRM policy table...

src 0.0.0.0/0 dst 192.168.200.150/32 
        dir in priority 2112 
        tmpl src 10.249.0.137 dst 172.16.1.2
                proto esp reqid 16385 mode tunnel
src 192.168.10.0/27 dst 192.168.10.0/27 
        dir in priority 2245 
src 192.168.200.150/32 dst 0.0.0.0/0 
        dir out priority 2112 
        tmpl src 172.16.1.2 dst 10.249.0.137
                proto esp reqid 16385 mode tunnel
src 192.168.10.0/27 dst 192.168.10.0/27 
        dir out priority 2245 
src 0.0.0.0/0 dst 192.168.200.150/32 
        dir fwd priority 2112 
        tmpl src 10.249.0.137 dst 172.16.1.2
                proto esp reqid 16385 mode tunnel
src 192.168.10.0/27 dst 192.168.10.0/27 
        dir fwd priority 2245 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir out priority 0 

My SNAT entry, in order to NAT before ESP (192.168.200.150 is the address 
assigned by the ASA)...

Chain PREROUTING (policy ACCEPT 15 packets, 1336 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain POSTROUTING (policy ACCEPT 11 packets, 4948 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    4   336 SNAT       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0   
        to:192.168.200.150 

Chain OUTPUT (policy ACCEPT 10 packets, 4940 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

The log entries produced by my iptables rules...

Jul 26 07:22:08 localhost kernel: from guest as FORWARD> IN=eth1 OUT=eth0 
SRC=192.168.10.2 DST=192.168.199.151 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF 
PROTO=ICMP TYPE=8 CODE=0 ID=28480 SEQ=1 
Jul 26 07:22:08 localhost kernel: to ASA as OUTPUT> IN= OUT=eth0 SRC=172.16.1.2 
DST=10.249.0.137 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=29736 DF PROTO=UDP 
SPT=4500 DPT=4500 LEN=140 
Jul 26 07:22:08 localhost kernel: from ASA as INPUT> IN=eth0 OUT= 
MAC=00:0c:29:fa:c2:d9:00:0c:29:2e:71:7d:08:00 SRC=10.249.0.137 DST=172.16.1.2 
LEN=160 TOS=0x00 PREC=0x00 TTL=63 ID=37476 PROTO=UDP SPT=4500 DPT=4500 LEN=140 
Jul 26 07:22:08 localhost kernel: from ASA as FORWARD> IN=eth0 OUT=eth0 
SRC=192.168.199.151 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9315 
PROTO=ICMP TYPE=0 CODE=0 ID=28480 SEQ=1 

Note that if I substitute 192.168.10.0/27 for 0.0.0.0/0 as the rightsubnet in 
ipsec.conf, the final FORWARD entry above indeed uses eth1 as the OUT interface 
and pings are all replied properly.

What should I do to correct this configuration for use with 
rightsubnet=0.0.0.0/0??


Bill

_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Reply via email to