I have a question about what happens if traffic is trying to be sent out
the interface strongswan uses while the tunnel is being established,
will this cause trouble? I have an issue where some traffic goes
through the tunnel, but some does not. My setup is configured like the
example 'nat before esp' My firewall on moon is setup as shown below.
I have iptables on moon setup to display traffic that is dropped, and
traffic that is not esp protocol should not be sent out eth0. The
traffic that is not passed through the tunnel is response traffic to
communication initiated from Bob. The communication from Bob makes it to
Alice, but when Alice tries to respond, the response packets are blocked
when they try to make it out eth0 on moon, so it would appear they are
not going through the tunnel.
I know the tunnel is established because alice pings bob through the
tunnel. It is also an intermittent problem, because when I reboot moon,
sometimes the response packets will go through the tunnel, until I
reboot again, and sometimes, some response packets go through the tunnel
while others do not.
My ipsec.conf on moon is as follows
config setup
plutodebug=control
crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn host-net
left=%defaultroute
leftcert=moonCert.pem
left...@moon.strongswan.org
leftfirewall=yes
right=192.168.6.1
rightsubnet=0.0.0.0/0
right...@sun.strongswan.org
auto=start
authyby=rsasig
My iptables rules on moon are as follows:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# NAT traffic from host
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local communication.
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# forward traffic from host to POSTROUTING chain
-A FORWARD -i eth1 -o eth0 -s 192.168.99.1 -j ACCEPT
-A FORWARD -o eth1 -i eth0 -d 192.168.99.1 -j ACCEPT
# Allow NTP
-A INPUT -i eth1 -p udp --sport 123 -j ACCEPT
-A OUTPUT -o eth1 -p udp --sport 123 -j ACCEPT
# Allow DNS
-A INPUT -i eth1 -p udp --sport 53 -j ACCEPT
-A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
-A OUTPUT -o eth1 -p udp --sport 53 -j ACCEPT
-A OUTPUT -o eth1 -p udp --dport 53 -j ACCEPT
# Allow icmp traffic
#-A FORWARD -i eth1 -p icmp -j ACCEPT
#-A FORWARD -i eth0 -p icmp --icmp-type echo-reply -j
ACCEPT
# Allow ssh forwarding
-A INPUT -p tcp --dport 10794 -j ACCEPT
-A OUTPUT -p tcp --sport 10794 -j ACCEPT
# allow esp
-A INPUT -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
# allow IKE
-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j
ACCEPT
-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j
ACCEPT
# Log dropped traffic
-A INPUT -j LOG --log-tcp-options --log-ip-options
--log-level warning --log-prefix "admin in:"
-A FORWARD -j LOG --log-tcp-options --log-ip-options
--log-level warning --log-prefix "admin forward:"
-A OUTPUT -j LOG --log-tcp-options --log-ip-options
--log-level warning --log-prefix "admin out:"
COMMIT
Thanks for the help,
Mark Marwil
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
