[strongSwan] Nat excempt rule not working
Hi I'm having troubles getting packages routed over the tunnel. It seems like that the iptables rules are somewhat purged, they reenter if i rebuild the tunnel. but that dosn't help the routing issue. traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets 1 10.66.55.18 (10.66.55.18) 43.438 ms 53.529 ms 53.742 ms 2 10.66.55.17 (10.66.55.17) 53.857 ms 63.536 ms 63.482 ms^C root@b3:~# ipsec version Linux strongSwan U4.4.1/K2.6.39.4-11 Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. root@b3:~# ipsec status net-net 000 net-net: 192.168.10.0/24===109.56.142.204[hoest.myownb3.com]...5.103.136.156[192.168.3.1]===192.168.3.0/24; erouted; eroute owner: #4 000 net-net: newest ISAKMP SA: #3; newest IPsec SA: #4; 000 000 #4: net-net STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2246s; newest IPSEC; eroute owner 000 #4: net-net esp.f755325f@5.103.136.156 (0 bytes) esp.2c39870c@109.56.142.204 (0 bytes); tunnel 000 #3: net-net STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2164s; newest ISAKMP 000 root@b3:~# iptables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- anyany anywhere anywheretcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset 0 0 DROP tcp -- anyany anywhere anywheretcp flags:!FIN,SYN,RST,ACK/SYN state NEW 93 6801 ACCEPT all -- eth0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 ACCEPT all -- br0any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT icmp -- eth0 any anywhere anywhereicmp time-exceeded 0 0 ACCEPT icmp -- anyany anywhere anywhereicmp fragmentation-needed 0 0 ACCEPT tcp -- eth0 any anywhere anywheretcp dpt:ssh 0 0 ACCEPT udp -- eth0 any anywhere anywhereudp dpt:isakmp 0 0 ACCEPT esp -- eth0 any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0any anywhere anywhere 0 0 ACCEPT all -- anyany anywhere anywherestate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- anyany anywhere anywhereicmp fragmentation-needed Chain OUTPUT (policy ACCEPT 93 packets, 13864 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT esp -- anyeth0anywhere anywhere root@b3:~# Any thoughts ? Wkr. Svend ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Tunnel dosn't build by itself
Hi I still have a problem with my tunnel. This morning they made a shutdown of the server at work, so my tunnel was down. I tried to ping my workstation at work and there was no reply. Then i made a tracert and saw that the traffic that should have gone over the tunnel was send to my isp. i logged in on my linux router and did a ipsec status all and saw that there was no tunnel, then i did a ipsec up pallas and saw that the tunnel was initiated. then my traffic went over the tunnel instead of routing it to my isp. So it seems to me that auto=route didn't quite make it for me. with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=route type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet rightid=right_wan_ip auto=route type=tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Tunnel dosn't build by itself
Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work du a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. can it be something with my iptables ? with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet= http://172.17.14.0/24right_lan_subnet rightid=right_wan_ip auto=add type=tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Tunnel dosn't build by itself
Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work do a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. can it be something with my iptables ? with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet= http://172.17.14.0/24right_lan_subnet rightid=right_wan_ip auto=add type=tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Tunnel dosn't build by itself
Hi I've made a router out of a epia sn board, and it really performes well (80 mbit iperf over vpn). But it seems to me that the tunnel dosn't start automaticly ? But if i @work do a ipsec up net-net-svende then the tunnel builds fine, but i can't ping from my lan pc and trigger the tunnel. A ipsec up net-net-pallas @home builds the tunnel fine, but traffic can't pass through. with kind regards Svend @home : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-pallas left=%defaultroute leftsubnet=left_lan_subnet http://172.17.14.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet/24 rightid=right_wan_ip auto=add type=tunnel include /var/lib/strongswan/ipsec.conf.inc @work : # /etc/ipsec.conf - strongSwan IPsec configuration file config setup plutostart=no interfaces=ipsec0=eth0 conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net-svende left=%defaultroute leftsubnet=left_lan_subnet/24 http://193.163.101.0/24 leftid=left_wan_ip leftfirewall=yes leftsourceip=left_lan_gateway right=right_wan_ip rightsubnet=right_lan_subnet rightid=right_wan_ip auto=add type=tunnel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users