[strongSwan] firewall issue?

Harald Dunkel Fri, 01 Jul 2016 06:49:09 -0700

Hi folks,

environment:
        IPsec gateway/firewall, Debian 8
        strongswan 5.4.0
        kernel 4.5.4-1~bpo8+1
        about 30 road warriors (OS X, iphones)
        IKEv1, IPv4 only, NAT at both sides


problem:

I see a number of DNS queries via IPsec blocked at the
internal firewall each day (apparently on the incoming
side eth0 pointing to the internet). Most of the queries
are not blocked, though.

Within the last month the percentage of blocked DNS
queries became worse. Much worse. Users started
complaining.

Sample:
:
Jul  1 14:56:55 gate1 kernel: [11376.265578] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.62 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=8365 PROTO=UDP SPT=53772 
DPT=53 LEN=46
Jul  1 14:56:55 gate1 kernel: [11376.265606] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.62 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=9010 PROTO=UDP SPT=59360 
DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.343540] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=3336 PROTO=UDP SPT=65510 
DPT=53 LEN=47
Jul  1 15:04:21 gate1 kernel: [11822.343549] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=16828 PROTO=UDP 
SPT=65055 DPT=53 LEN=47
Jul  1 15:04:21 gate1 kernel: [11822.343933] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41728 PROTO=UDP 
SPT=49163 DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.343939] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.64 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=3549 PROTO=UDP SPT=54079 
DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.393433] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=64135 PROTO=UDP 
SPT=64653 DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.393448] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=4824 PROTO=UDP SPT=60342 
DPT=53 LEN=46
Jul  1 15:04:21 gate1 kernel: [11822.393455] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=27700 PROTO=UDP 
SPT=54769 DPT=53 LEN=47
Jul  1 15:04:21 gate1 kernel: [11822.393461] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.66 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=17238 PROTO=UDP 
SPT=51462 DPT=53 LEN=47
Jul  1 15:04:25 gate1 kernel: [11825.955926] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.59 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=48167 PROTO=UDP 
SPT=55059 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11825.955939] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.59 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=22942 PROTO=UDP 
SPT=59174 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.071637] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=26638 PROTO=UDP 
SPT=50563 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.071651] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41367 PROTO=UDP 
SPT=62579 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.071944] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=39892 PROTO=UDP 
SPT=61569 DPT=53 LEN=46
Jul  1 15:04:25 gate1 kernel: [11826.072200] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.60 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=6242 PROTO=UDP SPT=59746 
DPT=53 LEN=46
Jul  1 15:06:07 gate1 kernel: [11927.933124] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 
DST=172.19.96.123 LEN=79 TOS=0x00 PREC=0x00 TTL=254 ID=25119 PROTO=UDP 
SPT=57108 DPT=53 LEN=59
Jul  1 15:06:07 gate1 kernel: [11927.933179] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 
DST=172.19.96.123 LEN=79 TOS=0x00 PREC=0x00 TTL=254 ID=12174 PROTO=UDP 
SPT=51598 DPT=53 LEN=59
Jul  1 15:06:07 gate1 kernel: [11927.933422] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 
DST=172.19.96.123 LEN=68 TOS=0x00 PREC=0x00 TTL=254 ID=16509 PROTO=UDP 
SPT=58484 DPT=53 LEN=48
Jul  1 15:06:07 gate1 kernel: [11927.933465] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 
DST=172.19.96.123 LEN=68 TOS=0x00 PREC=0x00 TTL=254 ID=7646 PROTO=UDP SPT=61916 
DPT=53 LEN=48
Jul  1 15:06:07 gate1 kernel: [11927.933505] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.69 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=20788 PROTO=UDP 
SPT=53271 DPT=53 LEN=47
Jul  1 15:09:45 gate1 kernel: [12146.056788] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.67 
DST=172.19.96.123 LEN=63 TOS=0x00 PREC=0x00 TTL=254 ID=22379 PROTO=UDP 
SPT=65313 DPT=53 LEN=43
Jul  1 15:09:45 gate1 kernel: [12146.056806] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.67 
DST=172.19.96.123 LEN=63 TOS=0x00 PREC=0x00 TTL=254 ID=60135 PROTO=UDP 
SPT=52471 DPT=53 LEN=43
Jul  1 15:10:28 gate1 kernel: [12189.111651] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=37592 PROTO=UDP 
SPT=57635 DPT=53 LEN=47
Jul  1 15:10:28 gate1 kernel: [12189.111665] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=38421 PROTO=UDP 
SPT=56817 DPT=53 LEN=46
Jul  1 15:19:29 gate1 kernel: [12730.187809] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=8935 PROTO=UDP SPT=63992 
DPT=53 LEN=46
Jul  1 15:19:29 gate1 kernel: [12730.187820] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=47825 PROTO=UDP 
SPT=64264 DPT=53 LEN=46
Jul  1 15:19:29 gate1 kernel: [12730.188127] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=33733 PROTO=UDP 
SPT=51037 DPT=53 LEN=47
Jul  1 15:19:29 gate1 kernel: [12730.188140] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.82 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=54296 PROTO=UDP 
SPT=59694 DPT=53 LEN=47
Jul  1 15:23:52 gate1 kernel: [12993.250567] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=29862 PROTO=UDP 
SPT=57199 DPT=53 LEN=47
Jul  1 15:23:52 gate1 kernel: [12993.250577] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 
DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=2437 PROTO=UDP SPT=52012 
DPT=53 LEN=47
Jul  1 15:23:52 gate1 kernel: [12993.250810] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=59470 PROTO=UDP 
SPT=63261 DPT=53 LEN=46
Jul  1 15:23:52 gate1 kernel: [12993.250817] iptables-dropped: IN=eth0 OUT=eth1 
MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.85 
DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=46145 PROTO=UDP 
SPT=58775 DPT=53 LEN=46
:

How comes? Did I miss a config item "maximum number of
iptables entries" somewhere in the set of strongswan
config files?

Every helpful comment is highly appreciated.


Regards
Harri
-- 
aixigo AG, Karl-Friedrich-Strasse 68, 52072 Aachen, Germany
phone: +49 241 559709-79, fax: +49 241 559709-99
eMail: [email protected], web: http://www.aixigo.de
Amtsgericht Aachen - HRB 8057, Vorstand: Erich Borsch, Christian Friedrich, 
Tobias Haustein, Vors. des Aufsichtsrates: Prof. Dr. Ruediger von Nitzsch

config setup
        charondebug="dmn 1, mgr 1, ike 1, chd 1, cfg 1, net 1"

conn %default
        left            = gate1.example.com
        leftcert        = gate1.example.com.pem
        leftsendcert    = always
        leftsubnet      = 172.19.96.0/19,172.22.111.0/24,10.47.11.0/24,...
        leftfirewall    = yes
        ikelifetime     = 3h
        lifetime        = 1h
        rekey           = yes
        dpdaction       = none
        dpdtimeout      = 300s          # default: 150s, used for IKEv1 only
        dpddelay        = 60s           # default: 30s

#
# IKEv2 using RSA authentication
conn IPSec-IKEv2
        keyexchange     = ikev2
        ike             = 
aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024!
        esp             = 
aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1!
        right           = %any
        rightauth       = pubkey
        rightsendcert   = ifasked
        rightsourceip   = %dhcp
        # fragmentation = yes
        auto            = add

#
# IKEv1 using xauth
conn CiscoIPSec
        keyexchange     = ikev1
        ike             = aes256-sha1-modp1536!
        esp             = aes256-sha1!
        rightauth       = pubkey
        right           = %any
        rightsourceip   = %dhcp
        rightauth2      = xauth
        auto            = add

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] firewall issue?

Reply via email to