Hi, Your iptables rules in the *nat table probably cause your issue.
Take a look at the article about forwarding and split tunneling[1]. And stop using `iptables -L`, it doesn't show you everything. Always use `iptables-save` or `iptables-save -c` instead. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems On 07.03.2018 05:37, Brenden wrote: > Hi All, > > I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS. > > IPs chanaged for privacy: > > My server IP 110.0.0.110 > My subnet is 110.0.0.0/25 > Internal IP: 192.168.50.214 > Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec) > > The primary connection is currently not configured (its still running on > our hardware FW) but the secondary one has been re-configured with the > other peer and connection successfully establishes. > > They can see our successful connection is up but can't see any traffic > being sent from our side. > > I am running HAPROXY on my strongswans server which forwards traffic from > 192.168.50.214:3333 to 10.4.34.70:3333 (via IPSEC tunnel). I can't ping, > telnet, curl or do anything against this host. > > I have this working in a legacy (undocumented environment on a Fortigate > FW), but that's being replaced. > > # ipsec statusall > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic, > x86_64): > uptime: 51 minutes, since Mar 07 13:21:13 2018 > malloc: sbrk 2588672, mmap 0, used 588944, free 1999728 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 7 > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp > dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr > kernel-netlink resolve socket-default connmark farp stroke updown > eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 > eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 > eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic > xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 > tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity > Listening IP addresses: > 110.0.0.110 > 192.168.50.214 > Connections: > ipsec-pri: 110.0.0.110...1.2.3.111 IKEv1, dpddelay=30s > ipsec-pri: local: uses pre-shared key authentication > ipsec-pri: remote: uses pre-shared key authentication > ipsec-pri: child: 110.0.0.0/25 === 10.5.35.0/24 TUNNEL, > dpdaction=restart > ipsec-sec: 110.0.0.110...1.2.3.112 IKEv1, dpddelay=30s > ipsec-sec: local: [110.0.0.110] uses pre-shared key authentication > ipsec-sec: remote: uses pre-shared key authentication > ipsec-sec: child: 110.0.0.0/25 === 10.4.34.70/32 10.4.34.71/32 > TUNNEL, dpdaction=restart > Security Associations (1 up, 0 connecting): > ipsec-sec[2]: ESTABLISHED 51 minutes ago, > 110.0.0.110[110.0.0.110]...1.2.3.112[1.2.3.112] > ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r, > pre-shared key reauthentication in 22 hours > ipsec-sec[2]: IKE proposal: > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > ipsec-sec{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i > 15dd64ce_o > ipsec-sec{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169 > pkts, 1s ago), rekeying in 46 minutes > ipsec-sec{2}: 110.0.0.0/25 === 10.4.34.70/32 > > > /etc/ipsec.conf file: > ################################## > conn ipsec-pri > ikelifetime=86400s > authby=secret > auto=start > keyexchange=ikev1 > type=tunnel > left=110.0.0.110 > leftid=%any > leftsubnet=110.0.0.0/25 > right=1.2.3.111 > rightid=%any > rightsubnet=10.5.35.0/24 > ike=3des-sha1-modp1024 > esp=3des-sha1-modp1024 > dpdaction=restart > > > conn ipsec-sec > ikelifetime=86400s > authby=secret > auto=start > keyexchange=ikev1 > type=tunnel > left=110.0.0.110 > leftid=%any > leftsubnet=110.0.0.0/25 > right==1.2.3.112 > rightid=%any > rightsubnet=10.4.34.70/32,10.4.34.71/32 > ike=3des-sha1-modp1024 > esp=3des-sha1-modp1024 > dpdaction=restart > ################################## > > ~# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > I've enabled forwarding in /etc/sysctl.conf > net.ipv4.ip_forward=1 > > > I've been back and forth on this for a few months but just really stuck. > > Any ideas on where i'm going wrong? I hope I've included enough info to > get pointed in the right direction. >
signature.asc
Description: OpenPGP digital signature