Hi,
I have strongSwan running on a raspberry pi that has ipsec connections to
an OpenBSD iked gateway and it is working well. However, clients on the
network behind the pi seem to have issues sending traffic over tunnels
unless I remove my masquerading iptables configuration; specifically, this
one:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Without this entry I'm seeing packets sent upstream outside of the tunnel.
In ASCII art, I'm trying to achieve this fairly standard configuration:
+@@+
@ Internet @
+@@+
|
| 0/0 route
|
wlan1:192.168.31.26 (DHCP assigned)
++ +---+
|swan|~~ipsec tunnel|openbsd|
++ +---+
eth0:10.254.223.1/25em0:100.64.1.92
wlan0:10.254.223.129/25 lan:10.254.255.1/24
When I start strongSwan without any NAT rules, I'm able to ping from clients
behind the pi device (swan: 10.254.223.128/25, etc.) to 10.254.255.1, but
default route traffic gets dropped from the upstream Internet device (as it
is RFC1918 space and filtered).
Are there specific NAT statements that need to be in place as an exception
to the traffic that will be encapsulated by strongSwan and sent to the
remote peer?
Any help is appreciated; thank you very much in advance.
# ip xfrm policy
src 10.254.223.0/24 dst 192.168.72.0/22
dir out priority 376447
tmpl src 192.168.31.26 dst 100.64.1.92
proto esp spi 0xe112339a reqid 1 mode tunnel
src 10.254.223.0/24 dst 10.254.255.0/24
dir out priority 375423
tmpl src 192.168.31.26 dst 100.64.1.92
proto esp spi 0xe112339a reqid 1 mode tunnel
src 10.254.223.0/24 dst 10.253.255.0/24
dir out priority 375423
tmpl src 192.168.31.26 dst 100.64.1.92
proto esp spi 0xe112339a reqid 1 mode tunnel
src 192.168.72.0/22 dst 10.254.223.0/24
dir fwd priority 376447
tmpl src 100.64.1.92 dst 192.168.31.26
proto esp reqid 1 mode tunnel
src 192.168.72.0/22 dst 10.254.223.0/24
dir in priority 376447
tmpl src 100.64.1.92 dst 192.168.31.26
proto esp reqid 1 mode tunnel
src 10.254.255.0/24 dst 10.254.223.0/24
dir fwd priority 375423
tmpl src 100.64.1.92 dst 192.168.31.26
proto esp reqid 1 mode tunnel
src 10.254.255.0/24 dst 10.254.223.0/24
dir in priority 375423
tmpl src 100.64.1.92 dst 192.168.31.26
proto esp reqid 1 mode tunnel
src 10.253.255.0/24 dst 10.254.223.0/24
dir fwd priority 375423
tmpl src 100.64.1.92 dst 192.168.31.26
proto esp reqid 1 mode tunnel
src 10.253.255.0/24 dst 10.254.223.0/24
dir in priority 375423
tmpl src 100.64.1.92 dst 192.168.31.26
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- anywhere 10.254.223.129 udp dpt:domain
to:127.0.0.1:53
DNAT tcp -- anywhere 10.254.223.129 tcp dpt:domain
to:127.0.0.1:53
DNAT udp -- anywhere 10.254.223.1 udp dpt:domain
to:127.0.0.1:53
DNAT tcp -- anywhere 10.254.223.1 tcp dpt:domain
to:127.0.0.1:53
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
# cat /etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
conn openbsd
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=%any4
leftsubnet=10.254.223.0/24
leftauth=secret
leftid=swan.example.com
leftfirewall=yes
right=100.64.1.92
rightsubnet=10.253.255.0/24,10.254.255.0/24,192.168.72.0/22
rightid=openbsd.example.com
rightauth=secret
ike=aes256-sha512-prfsha512-ecp521
esp=aes256-sha512-prfsha512-ecp521
ikelifetime=4h
keyingtries=%forever
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
# cat /var/log/charon_debug.log
Sat, 2022-04-02, 16:32:40