I'm guessing my NAT rules may be messed up, any ideas what might be wrong?
# iptables-save # Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018 *nat :PREROUTING ACCEPT [14:1916] :INPUT ACCEPT [14:1916] :OUTPUT ACCEPT [37:2220] :POSTROUTING ACCEPT [18:1080] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 1.2.3.112/24 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 1.2.3.112/24 -o ens33 -j MASQUERADE -A POSTROUTING -s 1.2.3.112/24 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 1.2.3.112/24 -o ens33 -j MASQUERADE COMMIT # Completed on Mon Mar 12 14:22:04 2018 # Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018 *filter :INPUT ACCEPT [74:14670] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [215:33304] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A FORWARD -s 1.2.3.112/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A FORWARD -d 1.2.3.112/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT -A FORWARD -s 1.2.3.112/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A FORWARD -d 1.2.3.112/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT COMMIT # Completed on Mon Mar 12 14:22:04 2018 On 8 March 2018 at 20:34, Noel Kuntze < [email protected]> wrote: > Hi, > > Your iptables rules in the *nat table probably cause your issue. > > Take a look at the article about forwarding and split tunneling[1]. And > stop using `iptables -L`, it doesn't show you everything. Always use > `iptables-save` or `iptables-save -c` instead. > > Kind regards > > Noel > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ > ForwardingAndSplitTunneling#General-NAT-problems > > On 07.03.2018 05:37, Brenden wrote: > > Hi All, > > > > I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS. > > > > IPs chanaged for privacy: > > > > My server IP 110.0.0.110 > > My subnet is 110.0.0.0/25 > > Internal IP: 192.168.50.214 > > Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec) > > > > The primary connection is currently not configured (its still running on > > our hardware FW) but the secondary one has been re-configured with the > > other peer and connection successfully establishes. > > > > They can see our successful connection is up but can't see any traffic > > being sent from our side. > > > > I am running HAPROXY on my strongswans server which forwards traffic from > > 192.168.50.214:3333 to 10.4.34.70:3333 (via IPSEC tunnel). I can't ping, > > telnet, curl or do anything against this host. > > > > I have this working in a legacy (undocumented environment on a Fortigate > > FW), but that's being replaced. > > > > # ipsec statusall > > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic, > > x86_64): > > uptime: 51 minutes, since Mar 07 13:21:13 2018 > > malloc: sbrk 2588672, mmap 0, used 588944, free 1999728 > > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > > scheduled: 7 > > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random > > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp > > dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr > > kernel-netlink resolve socket-default connmark farp stroke updown > > eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 > > eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 > > eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic > > xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 > > tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity > > Listening IP addresses: > > 110.0.0.110 > > 192.168.50.214 > > Connections: > > ipsec-pri: 110.0.0.110...1.2.3.111 IKEv1, dpddelay=30s > > ipsec-pri: local: uses pre-shared key authentication > > ipsec-pri: remote: uses pre-shared key authentication > > ipsec-pri: child: 110.0.0.0/25 === 10.5.35.0/24 TUNNEL, > > dpdaction=restart > > ipsec-sec: 110.0.0.110...1.2.3.112 IKEv1, dpddelay=30s > > ipsec-sec: local: [110.0.0.110] uses pre-shared key > authentication > > ipsec-sec: remote: uses pre-shared key authentication > > ipsec-sec: child: 110.0.0.0/25 === 10.4.34.70/32 10.4.34.71/32 > > TUNNEL, dpdaction=restart > > Security Associations (1 up, 0 connecting): > > ipsec-sec[2]: ESTABLISHED 51 minutes ago, > > 110.0.0.110[110.0.0.110]...1.2.3.112[1.2.3.112] > > ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r, > > pre-shared key reauthentication in 22 hours > > ipsec-sec[2]: IKE proposal: > > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > > ipsec-sec{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i > > 15dd64ce_o > > ipsec-sec{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169 > > pkts, 1s ago), rekeying in 46 minutes > > ipsec-sec{2}: 110.0.0.0/25 === 10.4.34.70/32 > > > > > > /etc/ipsec.conf file: > > ################################## > > conn ipsec-pri > > ikelifetime=86400s > > authby=secret > > auto=start > > keyexchange=ikev1 > > type=tunnel > > left=110.0.0.110 > > leftid=%any > > leftsubnet=110.0.0.0/25 > > right=1.2.3.111 > > rightid=%any > > rightsubnet=10.5.35.0/24 > > ike=3des-sha1-modp1024 > > esp=3des-sha1-modp1024 > > dpdaction=restart > > > > > > conn ipsec-sec > > ikelifetime=86400s > > authby=secret > > auto=start > > keyexchange=ikev1 > > type=tunnel > > left=110.0.0.110 > > leftid=%any > > leftsubnet=110.0.0.0/25 > > right==1.2.3.112 > > rightid=%any > > rightsubnet=10.4.34.70/32,10.4.34.71/32 > > ike=3des-sha1-modp1024 > > esp=3des-sha1-modp1024 > > dpdaction=restart > > ################################## > > > > ~# iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > I've enabled forwarding in /etc/sysctl.conf > > net.ipv4.ip_forward=1 > > > > > > I've been back and forth on this for a few months but just really stuck. > > > > Any ideas on where i'm going wrong? I hope I've included enough info to > > get pointed in the right direction. > > > >
