-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Josh,
The tunnel only permits traffic between the PFsense box and 192.168.150.0/24, <http://192.168.150.0/24> so of course it doesn't work. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 05.08.2015 um 16:51 schrieb Josh Madden: > To anyone who can offer some assistance: > > I have a pfsense appliance establishing an IPSEC tunnel to an Amazon AWS EC2 > Ubuntu box running StrongSwan 5.1.2. The goal is for LAN users of the pfsense > router appliance to have all their internet traffic tunneled to the AWS EC2 > box and then out to the internet. A system on the LAN of the pfsense box can > ping the IP of the Amazon EC2 box. The Amazon EC2 box can also ping a system > on the pfsense LAN. When a system on the pfsense LAN tries to send traffic to > the internet, I see the traffic show up in a running tcpdump on the Amazon > EC2 box, but the traffic seems to be getting dropped. Watching logs from > iptables, i can see that the traffic from the IPSEC tunnel arrives at the > PREROUTING table with its source address set to the pfsense LAN. I've tried > adding a number of iptables rules with little success. Any assistance is > greatly appreciated. Below is some configuration data: > > pfsense: > LAN subnet: 192.168.150.0/24 <http://192.168.150.0/24> > > pfsense ipsec configuration: > key exchange version: v2 > internet protocol: ipv4 > interface: WAN > remote gateway: <public IP of Amazon EC2 box> > authentication method: mutual psk > my identifer: distinguished name: <DN> > peer identifier: distinguished name: <DN> > pre-shared key: ********************* > phase 1: > encryption algorithm: aes 256 > hash algorithm: sha 256 > dh key group: 14 > lifetime: 28800 seconds > advanced options: > NAT traversal: auto > > 35x phase2 entries, one for each subnet to be tunneled out to the internet: > protocol: esp > > pfsense firewall rules are set to allow most traffic (it's behind an IDS and > firewall -- no blocked packets observed) > > strongswan ipsec configuration: > config setup > # strictcrlpolicy=yes > # uniqueids = no > cachecrls=yes > uniqueids=yes > charondebug="ike 0, knl 0, cfg 0, net 0, enc 0" > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=20m > keyingtries=1 > keyexchange=ikev2 > authby=secret > esp=aes256-sha256 > > conn <DN> > left=<pfsense public IP> > leftid=<DN> > leftfirewall=yes > leftsubnet=192.168.150.0/24 <http://192.168.150.0/24> > right=<AWS EC2 host IP> > rightfirewall=yes > rightid=<DNS> > auto=add > > > > AWS EC2 iptables > # Generated by iptables-save v1.4.21 on Wed Aug 5 13:43:07 2015 > *nat > :PREROUTING ACCEPT [382:30387] > :INPUT ACCEPT [1:468] > :OUTPUT ACCEPT [4:248] > :POSTROUTING ACCEPT [15:842] > -N LOGGING > -N IPSEC_UNWRAPPED > -A PREROUTING -s 192.168.150.0/24 <http://192.168.150.0/24> -j IPSEC_UNWRAPPED > > -I INPUT 1 -j LOG --log-prefix "packet enter NAT-INPUT " > -I OUTPUT 1 -j LOG --log-prefix "packet enter NAT-OUTPUT " > > -I POSTROUTING 1 -j LOG --log-prefix "packet enter POSTROUTING " > -A IPSEC_UNWRAPPED -j LOG --log-prefix "enter IPSEC_UNWRAPPED " > -A IPSEC_UNWRAPPED -s 192.168.150.0/24 <http://192.168.150.0/24> -j ACCEPT > > COMMIT > # Completed on Wed Aug 5 13:43:07 2015 > # Generated by iptables-save v1.4.21 on Wed Aug 5 13:43:07 2015 > *filter > :INPUT ACCEPT [324:39841] > :FORWARD ACCEPT [8:418] > :OUTPUT ACCEPT [301:64284] > :LOGGING - [0:0] > -A INPUT -s <pfsense public ip>/32 -d <amazon public ip>/32 -p udp --dport > 4500 -j ACCEPT > -A INPUT -s<pfsense public ip> -d <amazon public ip>/32 -p tcp --dport 22 -j > ACCEPT > -A INPUT -d <amazon public ip> -p icmp -j ACCEPT > -A INPUT -j LOGGING > -A FORWARD -j LOG --log-prefix "enter forward " > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -j LOGGING > -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public > ip>/32 -p udp --sport 4500 -j ACCEPT > -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public > ip>/32 -p tcp --sport 22 -j ACCEPT > -A OUTPUT -p icmp -d 8.8.8.8 -j LOG --log-prefix "icmp to google " > > > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVwsoUAAoJEDg5KY9j7GZYJggP/iFvPmtFC1McMWzeUWIwad7o SJ3XpmATEvrViTjFWTvheaKYJBPlw8qM2FuAITM4JadW2DbYSB5SlszUH3I1QdfS 5l6SJRdv6iBxYajN8wX4ATbx4ug3F+lf9gR8ZHfcqzeR0s8Ku1CuHrqE2/41210G uR9Aj59yweXfxfZxkmszly2n7H3/YeyQM5R98kJIumFCwhW5Hn8Lb4gQa4e21VyH eU5X2enCgtLe9CzzKDlGH1f81jIaEmPXOT849loajZ119xr+YkO2FobIgh5ZePC4 XLcPVMgqi8ZK9EKlVtkbhNN3MtcHHzms/FwZsbRzqBMPEPctkeUjGpS89UCtY3B0 wQMIyJ126L9MCkt0vefdWNCFwIlIICiV19Yx6so58/sMDhjzpXWgnydUL5Xr3kde Ssn/vgle7MgmXHrPM+qaj1OKvz+9HpOclMNxFcSPsvgd91tBYFyoGZn36YYYF7XD R6t8SoWk0nBrXkF8cHzYFKPI5ZH/T1pNQmkLLEczLkW+2s41uZ+QlFe2WBEeGQqu 01vY2kRszk4+zuGv7Eehpvi8EFa1ixq5Qx+NYzunatIv6neRFghRmxTdJUlqMdgK pvpVj0ziZBL24vfGg7JLb1vtgiH757US+LjtacUbfGMIwjtq5dXiVEQfa9j0fEaK 4x83tDm5oY7+DXUKNugq =yWzh -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
