I've got a little further with this for anyone interested. I ran a tcpdump from a machine on my internal network for any traffic from/to the rw machine - when pinging, I could see packets arriving on the internal machine but no replies on the rw. This kind of made sense, the vpn gateway is not a gateway for any internal boxes, so packets were coming in but could not be routed back out through the vpn gw. Adding a quick route on one machine confirmed this; route add -net [virtual ip range] netmask 255.255.255.0 gw [vpn gw]
I've ended up adding a masquerade on the vpn gateway to rewrite the source address of any inbound packets, so internal machines now route any replies back through the vpn gw. I've also added leftfirewall=yes to the gw ipsec.conf as iptables is now running on it. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE I can now ping any machine on the internal network from the roadwarrior over the vpn. I now need to get DNS lookups working, an nslookup pointed at an internal name server won't work for some reason, not sure why - any help on this front would be handy. The packaged version of strongswan I'm using (4.3.2-1.1 from the debian testing repo on a Lenny machine) doesn't seem to include the required modules and support for appending to /etc/resolv.conf - I guess I may well have to compile a newer version from source, although I really don't mind manually specifying dns servers... if it worked. I'll get there eventually! - in the meantime, if anyone can shed some light on the DNS issue, I'd be most grateful. Cheers! Russ Russ Cox wrote: > Hi all, > I'm trying to set up a strongswan gateway, behind a NAT router for > roadwarrior use. > I can initiate the connection from another debian machine also using > strongswan (also behind NAT), virtual ip is assigned correctly and I'm > able to ping/ssh to the gateway machine on its private ip address but > nothing else behind it. > > Routes get added on both machines but I'm not convinced the next hop on > the initiator machine is correct. > > My network: > > 192.168.0.0/24===192.168.0.18 (SS gw)--- 192.168.0.1 (router) ....... > %any (vpn client) === 192.168.0.19/32 (virtual ip) > > I've added rules to IP tables on the router to forward traffic on udp > ports 500 and 4500 aswell as esp traffic, coming in to a particular > public ip address, to the SS gw - with matching SNAT rules for outbound > traffic. I've tested all this using netcat. > > Any help would be most appreciated - I can provide any more info if > required. > > Thanks in advance! > > Russ > > (I've changed the public ip of my router for security to XX.XX.XX.XX and > the router of the roadwarrior machine to YY.YY.YY.YY) > > Ipsec.conf on the gateway is; > > config setup > # plutodebug=all > crlcheckinterval=180 > strictcrlpolicy=no > # cachecrls=yes > nat_traversal=yes > charonstart=yes > plutostart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > > conn edba-nat > left=%defaultroute > leftcert=lister.e-dba.net-cert.pem > [email protected] > leftsubnet=192.168.0.0/24 > right=%any > rightsourceip=192.168.0.19 > keyexchange=ikev2 > auto=add > > > > On the rw machine; > > ted:~# cat /etc/ipsec.conf > > config setup > crlcheckinterval=180 > strictcrlpolicy=no > plutostart=no > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn edba-nat > left=%defaultroute > leftsourceip=%config > leftcert=russ.e-dba.net-cert.pem > [email protected] > right=XX.XX.XX.XX > [email protected] > rightsubnet=192.168.0.0/24 > auto=add > > > > > > When I initiate the connection from the test roadwarrior machine I get ; > > ted:~# ipsec up edba-nat > initiating IKE_SA edba-nat[1] to XX.XX.XX.XX > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 192.168.61.90[500] to XX.XX.XX.XX[500] > received packet: from XX.XX.XX.XX[500] to 192.168.61.90[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(MULT_AUTH) ] > local host is behind NAT, sending keep alives > remote host is behind NAT > received cert request for "C=UK, ST=East Sussex, O=eDBA Ltd, CN=vpngw, > [email protected]" > sending cert request for "C=UK, ST=East Sussex, O=eDBA Ltd, CN=vpngw, > [email protected]" > authentication of '[email protected]' (myself) with RSA signature > successful > sending end entity cert "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd, > CN=russ, [email protected]" > establishing CHILD_SA edba-nat > generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr > N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] > sending packet: from 192.168.61.90[4500] to XX.XX.XX.XX[4500] > received packet: from XX.XX.XX.XX[4500] to 192.168.61.90[4500] > parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) > N(MOBIKE_SUP) N(NO_ADD_ADDR) ] > received end entity cert "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd, > CN=lister, [email protected]" > using certificate "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd, > CN=lister, [email protected]" > using trusted ca certificate "C=UK, ST=East Sussex, O=eDBA Ltd, > CN=vpngw, [email protected]" > checking certificate status of "C=UK, ST=East Sussex, L=Brighton, O=eDBA > Ltd, CN=lister, [email protected]" > certificate status is not available > authentication of 'lister.e-dba.net' with RSA signature successful > scheduling reauthentication in 3254s > maximum IKE_SA lifetime 3434s > IKE_SA edba-nat[1] established between > 192.168.61.90[[email protected]]...xx.xx.xx.xx[lister.e-dba.net] > installing new virtual IP 192.168.0.19 > ted:~# > > > Route on rw machine; > > ted:~# ip r show table 220 > 192.168.0.0/24 via 192.168.61.1 dev eth0 proto static src 192.168.0.19 > > Ping gateway on private ip; > > ted:~# ping -c 1 192.168.0.18 > PING 192.168.0.18 (192.168.0.18) 56(84) bytes of data. > 64 bytes from 192.168.0.18: icmp_seq=1 ttl=64 time=75.7 ms > > Ping DNS server on private network; > > ted:~# ping -c 1 192.168.0.15 > PING 192.168.0.15 (192.168.0.15) 56(84) bytes of data. > > --- 192.168.0.15 ping statistics --- > 1 packets transmitted, 0 received, 100% packet loss, time 0ms > > > excerpt of the daemon.log in case this is significant; > > Jan 14 10:14:15 ted charon: 14[NET] sending packet: from > 192.168.61.90[4500] to 217.154.55.251[4500] > Jan 14 10:14:22 ted charon: 03[KNL] creating rekey job for ESP CHILD_SA > with SPI cf8ef4a6 and reqid {1} > Jan 14 10:14:22 ted charon: 09[IKE] establishing CHILD_SA edba-nat{1} > Jan 14 10:14:22 ted charon: 09[ENC] generating CREATE_CHILD_SA request 2 > [ N(REKEY_SA) SA No TSi TSr ] > Jan 14 10:14:22 ted charon: 09[NET] sending packet: from > 192.168.61.90[4500] to 217.154.55.251[4500] > Jan 14 10:14:22 ted charon: 15[NET] received packet: from > 217.154.55.251[4500] to 192.168.61.90[4500] > Jan 14 10:14:22 ted charon: 15[ENC] parsed CREATE_CHILD_SA response 2 [ > SA No TSi TSr ] > Jan 14 10:14:22 ted charon: 15[IKE] CHILD_SA edba-nat{1} established > with SPIs c2c5f5e9_i cb2579f8_o and TS 192.168.0.19/32 === 192.168.0.0/24 > Jan 14 10:14:22 ted charon: 15[IKE] closing CHILD_SA edba-nat{1} with > SPIs cf8ef4a6_i c72aadd3_o and TS 192.168.0.19/32 === 192.168.0.0/24 > Jan 14 10:14:22 ted charon: 15[IKE] sending DELETE for ESP CHILD_SA with > SPI cf8ef4a6 > Jan 14 10:14:22 ted charon: 15[ENC] generating INFORMATIONAL request 3 [ > D ] > Jan 14 10:14:22 ted charon: 15[NET] sending packet: from > 192.168.61.90[4500] to 217.154.55.251[4500] > Jan 14 10:14:22 ted charon: 16[NET] received packet: from > 217.154.55.251[4500] to 192.168.61.90[4500] > Jan 14 10:14:22 ted charon: 16[ENC] parsed INFORMATIONAL response 3 [ D ] > Jan 14 10:14:22 ted charon: 16[IKE] received DELETE for ESP CHILD_SA > with SPI c72aadd3 > Jan 14 10:14:22 ted charon: 16[IKE] CHILD_SA closed > Jan 14 10:14:46 ted charon: 10[IKE] sending keep alive > Jan 14 10:14:46 ted charon: 10[NET] sending packet: from > 192.168.61.90[4500] to 217.154.55.251[4500] > Jan 14 10:15:06 ted charon: 12[IKE] sending keep alive > Jan 14 10:15:06 ted charon: 12[NET] sending packet: from > 192.168.61.90[4500] to 217.154.55.251[4500] > Jan 14 10:15:26 ted charon: 13[IKE] sending keep alive > Jan 14 10:15:26 ted charon: 13[NET] sending packet: from > 192.168.61.90[4500] to 217.154.55.251[4500] > > > Ipsec statusall on rw machine; > > ted:~# ipsec statusall > Status of IKEv2 charon daemon (strongSwan 4.3.2): > uptime: 31 minutes, since Jan 14 09:58:41 2010 > worker threads: 9 idle of 16, job queue load: 0, scheduled events: 4 > loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent > gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka > eapmschapv2 > Listening IP addresses: > 192.168.61.90 > Connections: > edba-nat: %any...XX.XX.XX.XX > edba-nat: local: [[email protected]] uses public key authentication > edba-nat: cert: "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd, > CN=russ, [email protected]" > edba-nat: remote: [lister.e-dba.net] uses any authentication > edba-nat: child: dynamic === 192.168.0.0/24 > Security Associations: > edba-nat[1]: ESTABLISHED 31 minutes ago, > 192.168.61.90[[email protected]]...xx.xx.xx.xx[lister.e-dba.net] > edba-nat[1]: IKE SPIs: 8f74877205e6e94a_i* ec51a88ef2fc6eb4_r, > public key reauthentication in 21 minutes > edba-nat[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > edba-nat{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c79a6ff9_i cb98be4d_o > edba-nat{1}: AES_CBC_128/HMAC_SHA1_96, rekeying in 15 minutes, last > use: no_i no_o > edba-nat{1}: 192.168.0.19/32 === 192.168.0.0/24 > > ====================== > > On SS gateway machine; > Remote public ip masked for security to YY.YY.YY.YY > > lister:/var/cache/apt/archives# ipsec statusall > Status of IKEv2 charon daemon (strongSwan 4.3.2): > uptime: 33 minutes, since Jan 14 09:58:52 2010 > worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3 > loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent > gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka > eapmschapv2 > Virtual IP pools (size/online/offline): > edba-nat: 1/1/0 > Listening IP addresses: > 192.168.0.18 > Connections: > edba-nat: 192.168.0.18...%any > edba-nat: local: [lister.e-dba.net] uses public key authentication > edba-nat: cert: "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd, > CN=lister, [email protected]" > edba-nat: remote: [%any] uses any authentication > edba-nat: child: 192.168.0.0/24 === dynamic > Security Associations: > edba-nat[1]: ESTABLISHED 33 minutes ago, > 192.168.0.18[lister.e-dba.net]...yy.yy.yy.yy[[email protected]] > edba-nat[1]: IKE SPIs: 8f74877205e6e94a_i ec51a88ef2fc6eb4_r*, > public key reauthentication in 22 minutes > edba-nat[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > edba-nat{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb98be4d_i c79a6ff9_o > edba-nat{1}: AES_CBC_128/HMAC_SHA1_96, rekeying in 11 minutes, last > use: no_i no_o > edba-nat{1}: 192.168.0.0/24 === 192.168.0.19/32 > > > lister:/var/cache/apt/archives# ip r show table 220 > 192.168.0.19 via 192.168.0.1 dev eth0 proto static src 192.168.0.18 > > > > > -- Russ Cox Systems Engineer e-DBA Ltd. 48A Old Steine, Brighton, East Sussex, BN1 1NH Main: +44 (0) 870 366 7800 Direct: +44 (0) 127 322 4704 email: [email protected] Msn: [email protected] Skype: russc0x Company No: 365969 Oracle Partner of the Year General Business Technology UKOUG Partner of the year (4 categories) _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
