Re: [strongSwan] Traffic in a Hub and Spoke setup not forwarded

Tue, 29 Aug 2017 10:11:13 -0700 

Hi Noel & all
Sorry for the late reply. I was trying to find a solution on sporadic weekends without messing up my actual configuration. 


The MASQUERADE rule did it. I wanted to share the solution with the 
list.  The most simple solution of my /etc/firewall.user looks like 
this. The last entry made it working.


---------
### IPSec VPN
iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT

iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
---------


At the end I did no change the MTU. Here is a tracepath output, seems to 
work out-of-the-box.


[user@location1 ~]$ tracepath location2
 1?: [LOCALHOST]                        pmtu 1500
 1:  router-location1                   3.075ms
 1:  router-location1                   3.221ms
 2:  router-location1                   2.881ms pmtu 1422
 2:  no reply
 3:  router-location2                   47.577ms
 4:  location2                          48.414ms reached
     Resume: pmtu 1422 hops 4 back 4

Best regards
Martin


On 02/25/2017 12:06 AM, Noel Kuntze wrote:

There's the MASQUERADE rule that breaks some part of the tunnel:

-A zone_wan_postrouting -j MASQUERADE


This can be problematic, too. Read the article about MSS and MTU[1] and this 
article[2].

-A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan 
(mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu


You're also not accepting ESP or IKE traffic! You NEED to allow those packets.
UDP port 500, 4500 and the protocol ESP.

Rest looks okay though, besides the problem that the openwrt firewall doesn't 
play nice with IPsec.

[1] 
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
This website has nothing to do with the project though!
[2] https://strongswan.net/blog/how-to-resolve-mtu-issue-with-ipsec-tunnel/


On 24.02.2017 23:59, Martin Sand wrote:

Sure, please find enclosed the requested files.

Best regards/Viele GrĂ¼sse
Martin


On 02/24/2017 11:52 PM, Noel Kuntze wrote:

Of course not. This is not a problem with the routing table.
Please make sure you understand exactly what's going on before
attempting to solve problems. Other technology might not
be as forgiving as this.

The problem is probably that your security policies don't allow
the forwarding of the traffic or you have SNAT/MASQUERADE (or other)
iptables rules that either change addresses so the traffic doesn't
match the policies anymore or outright drop it.

Please provide a paste of the output of `ipsec statusall`
and `iptables-save`.



On 24.02.2017 23:49, Martin Sand wrote:

Hi all

After some time I began to investigate again.
I think the problem is that my strongSwan router is behind a modem (another 
router) which I cannot set to bridge modus.
The modem is NATing the traffic.

Routing table 220 shows the problem.
The traffic is sent to the modem (192.168.0.1), connected to the internet and 
my strongSwan vpn router (192.168.2.1).
The modem is also the default gateway.

root@OpenWrt:~# ip route show table 220
192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
192.168.3.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1

I tried to get around the problem by setting the via route to the external IP 
of my modem (134.100.110.120).
But this does not work:

root@OpenWrt:~# ip r c table 220 192.168.1.0/24 via 134.100.110.120 dev eth0 
proto static src 192.168.2.1
RTNETLINK answers: Network is unreachable

Any ideas on how to solve the issue?

Best regards
Martin

On 11/08/2016 08:46 PM, Martin Sand wrote:

Hi all

I have a Hub and Spoke setup:
* Central server 192.168.0.1
* Router 1: 192.168.1.1
* Router 2: 192.168.2.1

I cannot reach the computers on the other side of the network although tunnel 
is established.
Do I miss an iptable or route information?

Output from 192.168.1.100 when trying to reach a computer on the other network 
(192.168.2.100):
[user@workstation ~]$ tracepath 192.168.2.100
  1?: [LOCALHOST]                                         pmtu 1500
  1:  router-1                                     0.475ms
  1:  router-1                                     0.445ms
  2:  no reply

Output of route on Router 1 (192.168.1.1):
192.168.2.0/24 via 80.10.10.1 dev eth0  proto static  src 192.168.1.1

Output of route on Router 2 (192.168.2.1):
192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1

Any ideas on what is going wrong? Maybe because one router shows the external 
IP of the Hub instead of the internal one?

Best regards
Martin


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users




ipsec_statusall.txt


Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
   uptime: 24 minutes, since Feb 24 23:30:27 2017
   malloc: sbrk 151552, mmap 0, used 139840, free 11712
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 5
   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc 
hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
   192.168.0.31
   192.168.2.1
Connections:
     vpn-mann:  %any...vpn.example.de  IKEv2, dpddelay=30s
     vpn-mann:   local:  [C=DE, O=StrongSwan, CN=mann] uses public key 
authentication
     vpn-mann:    cert:  "C=DE, O=StrongSwan, CN=mann"
     vpn-mann:   remote: [vpn.example.de] uses public key authentication
     vpn-mann:    cert:  "C=DE, O=StrongSwan, CN=vpn.example.de"
     vpn-mann:   child:  192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 PASS, 
dpdaction=restart
Security Associations (1 up, 0 connecting):
     vpn-mann[1]: ESTABLISHED 23 minutes ago, 192.168.0.31[C=DE, O=StrongSwan, 
CN=mann]...200.200.8.224[vpn.example.de]
     vpn-mann[1]: IKEv2 SPIs: a2b57fe98a312245_i* 484d1d053cc36aaa_r, public 
key reauthentication in 28 minutes
     vpn-mann[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     vpn-mann{4}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5f28034_i 
c535472d_o
     vpn-mann{4}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 
5 minutes
     vpn-mann{4}:   192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24
     vpn-mann{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cca10f29_i 
cd435e9e_o
     vpn-mann{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 
6 minutes
     vpn-mann{5}:   192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24


iptables_save.txt


# Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
*nat
:PREROUTING ACCEPT [94139:25693304]
:INPUT ACCEPT [23929:1678867]
:OUTPUT ACCEPT [24490:1838326]
:POSTROUTING ACCEPT [529:103136]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j 
postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j 
prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j 
postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j 
prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j 
postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j 
prerouting_wan_rule
COMMIT
# Completed on Fri Feb 24 23:54:03 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
*raw
:PREROUTING ACCEPT [30562873:27538250738]
:OUTPUT ACCEPT [92351:9943384]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Fri Feb 24 23:54:03 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
*mangle
:PREROUTING ACCEPT [30562873:27538250738]
:INPUT ACCEPT [86788:8751557]
:FORWARD ACCEPT [30431248:27507406630]
:OUTPUT ACCEPT [92351:9943384]
:POSTROUTING ACCEPT [30523601:27517350687]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan 
(mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Feb 24 23:54:03 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol 
ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol 
ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol 
ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol 
ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j 
forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 
25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j 
forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j 
zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port 
forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port 
redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j 
output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j 
forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port 
forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment 
Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping 
-j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port 
redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j 
output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -j reject
COMMIT
# Completed on Fri Feb 24 23:54:03 2017



_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

























					Reply via email to