Hi If i after reboot restart strongswan and the tunnel the iptables looks ok, but packages are still sent over the internet.
Is there anything in the kernel configuration i have to check ? When i look at http://www.strongswan.org/uml/testresults4/ikev1/net2net-psk/ there is nothing i in ip route list table 220 root@b3:~# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.4.1 IPsec [starter]... root@b3:~# iptables -L -v Chain INPUT (policy DROP 3 packets, 120 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset 1 51 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 9 1042 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 54 3995 ACCEPT all -- br0 any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:isakmp 0 0 ACCEPT esp -- eth0 any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 18 8743 ACCEPT all -- br0 any anywhere anywhere 17 1021 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed Chain OUTPUT (policy ACCEPT 65 packets, 8742 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT esp -- any eth0 anywhere anywhere root@b3:~# ipsec up net-net 002 "net-net" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 112 "net-net" #3: STATE_QUICK_I1: initiate 002 "net-net" #3: sent QI2, IPsec SA established {ESP=>0xbc2b2ba9 <0xceebf6e2} 004 "net-net" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xbc2b2ba9 <0xceebf6e2} root@b3:~# iptables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 any 192.168.3.0/24 192.168.10.0/24 policy match dir in pol ipsec reqid 16385 proto esp 0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset 1 51 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 33 5847 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 86 5963 ACCEPT all -- br0 any anywhere anywhere 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:isakmp 0 0 ACCEPT esp -- eth0 any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 any 192.168.3.0/24 192.168.10.0/24 policy match dir in pol ipsec reqid 16385 proto esp 0 0 ACCEPT all -- any eth0 192.168.10.0/24 192.168.3.0/24 policy match dir out pol ipsec reqid 16385 proto esp 21 8890 ACCEPT all -- br0 any anywhere anywhere 21 1263 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed Chain OUTPUT (policy ACCEPT 22 packets, 3238 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any eth0 192.168.10.0/24 192.168.3.0/24 policy match dir out pol ipsec reqid 16385 proto esp 0 0 ACCEPT esp -- any eth0 anywhere anywhere root@b3:~# traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets 1 10.66.128.234 (10.66.128.234) 32.228 ms 53.222 ms 53.485 ms 2 10.66.128.237 (10.66.128.237) 53.873 ms 54.093 ms 54.477 ms 3 172.18.4.78 (172.18.4.78) 71.604 ms 172.18.4.82 (172.18.4.82) 54.282 ms 172.18.4.62 (172.18.4.62) 54.174 ms 4 172.18.72.66 (172.18.72.66) 53.930 ms 172.18.72.90 (172.18.72.90) 53.910 ms 172.18.72.98 (172.18.72.98) 53.802 ms 5 172.18.8.109 (172.18.8.109) 53.800 ms 172.18.8.105 (172.18.8.105) 53.742 ms 172.18.8.158 (172.18.8.158) 53.439 ms^C 2014/1/4 Ali Masoudi <[email protected]> > Hi > > Did you disable "add routes" in strongswan.conf? > By Default, Strongswan adds required route in table 220. > > If you disabled routing in SW, You have to route traffic to 192.168.3.0/24 via > 109.56.142.204 interface to 5.103.136.156. > > Best wishes > Ali > > > > > On Fri, Jan 3, 2014 at 12:02 PM, Svend Høst <[email protected]> wrote: > >> Hi >> >> I'm having troubles getting packages routed over the tunnel. It seems >> like that the iptables rules are somewhat purged, they reenter if i rebuild >> the tunnel. but that dosn't help the routing issue. >> >> traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets >> 1 10.66.55.18 (10.66.55.18) 43.438 ms 53.529 ms 53.742 ms >> 2 10.66.55.17 (10.66.55.17) 53.857 ms 63.536 ms 63.482 ms^C >> >> root@b3:~# ipsec version >> Linux strongSwan U4.4.1/K2.6.39.4-11 >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil, Switzerland >> See 'ipsec --copyright' for copyright information. >> >> root@b3:~# ipsec status net-net >> 000 "net-net": >> 192.168.10.0/24===109.56.142.204[hoest.myownb3.com]...5.103.136.156[192.168.3.1]===192.168.3.0/24<http://192.168.10.0/24===109.56.142.204%5Bhoest.myownb3.com%5D...5.103.136.156%5B192.168.3.1%5D===192.168.3.0/24>; >> erouted; eroute owner: #4 >> 000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4; >> 000 >> 000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); >> EVENT_SA_REPLACE in 2246s; newest IPSEC; eroute owner >> 000 #4: "net-net" [email protected] (0 bytes) >> [email protected] (0 bytes); tunnel >> 000 #3: "net-net" STATE_MAIN_I4 (ISAKMP SA established); >> EVENT_SA_REPLACE in 2164s; newest ISAKMP >> 000 >> >> root@b3:~# iptables -L -v >> Chain INPUT (policy DROP 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 REJECT tcp -- any any anywhere >> anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with >> tcp-reset >> 0 0 DROP tcp -- any any anywhere >> anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW >> 93 6801 ACCEPT all -- eth0 any anywhere >> anywhere state RELATED,ESTABLISHED >> 0 0 ACCEPT all -- br0 any anywhere >> anywhere >> 0 0 ACCEPT all -- lo any anywhere >> anywhere >> 0 0 ACCEPT icmp -- eth0 any anywhere >> anywhere icmp time-exceeded >> 0 0 ACCEPT icmp -- any any anywhere >> anywhere icmp fragmentation-needed >> 0 0 ACCEPT tcp -- eth0 any anywhere >> anywhere tcp dpt:ssh >> 0 0 ACCEPT udp -- eth0 any anywhere >> anywhere udp dpt:isakmp >> 0 0 ACCEPT esp -- eth0 any anywhere >> anywhere >> >> Chain FORWARD (policy DROP 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- br0 any anywhere >> anywhere >> 0 0 ACCEPT all -- any any anywhere >> anywhere state RELATED,ESTABLISHED >> 0 0 ACCEPT icmp -- any any anywhere >> anywhere icmp fragmentation-needed >> >> Chain OUTPUT (policy ACCEPT 93 packets, 13864 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT esp -- any eth0 anywhere >> anywhere >> root@b3:~# >> >> >> >> Any thoughts ? >> >> Wkr. >> Svend >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
