I’ve tweaked my iptables rules, and now traffic from the strongswan client box 
gets routed through the tunnel as expected. Also wifi client (10.88.88.0) 
traffic now gets routed, where it wasn’t before. However, that traffic still 
isn’t going through the tunnel.

Here are the iptables rules when the ipsec connection is established:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             10.19.48.2           policy match dir 
in pol ipsec reqid 1 proto esp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             10.19.48.2           policy match dir 
in pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.19.48.2           anywhere             policy match dir 
out pol ipsec reqid 1 proto esp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.19.48.2           anywhere             policy match dir 
out pol ipsec reqid 1 proto esp

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.88.88.0/24        anywhere             policy match dir 
out pol ipsec
MASQUERADE  all  --  10.88.88.0/24        anywhere


> On Mar 12, 2018, at 7:36 PM, Zachary Cutlip <uid...@icloud.com> wrote:
> 
> Hello,
> 
> I’m trying to set up an IPSec VPN that’s a little different from most 
> projects I’ve seen documented.
> 
> I’m building a NAT router on Debian that I plan to travel with. I guess you 
> might say my strongswan use case is sort of a hybrid between road warrior & 
> site-to-site.
> 
> I’m confused on how to set up ipsec.conf and iptables such that all wifi 
> clients on connecting to the NAT router/WiFi AP get their traffic routed over 
> the tunnel.
> 
> Here are some details:
> 
> The Debian box has two interfaces
> - wan0, internet facing, configured via DHCP via whatever network its 
> connected to
> - lan0, WiFi interface in AP mode with hostapd, 10.88.88.1/24, 
> (There is also a third interface for management: eth0:10.99.99.1)
> 
> dnsmasq gives out DHCP configuration to wifi clients over lan0.
> 
> I’m connecting to a strongswan instance hosted on digital ocean with a fixed 
> IP address.
> 
> When I take the box out of NAT router mode by flushing IPtables, I can 
> initiate a connection to the remote instance, and traffic originating from 
> the Debian box seems to go over the tunnel as expected. If I have iptables 
> set up to do NAT routing, and then initiate the VPN connection, two things 
> happen:
> 1. Traffic from the Debian box (such as traceroute 8.8.8.8) is no longer 
> routed over the tunnel.
> 2. Traffic from the wifi clients doesn’t get routed at all.
> 
> I feel like this should be pretty straightforward; I’m just missing 
> something. Any advice?
> 
> Here’s what my iptables looks like when the NAT router is working, and there 
> are no ipsec connections:
> 
> sudo iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere             ctstate 
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> $ sudo iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  anywhere             anywhere
> 
> Here’s the ipsec.conf generated by Trail of Bits’s AlgoVPN (I added the 
> passthroughs):
> 
> $ cat ipsec.conf
> conn ikev2-165.x.x.x
>    fragmentation=yes
>    rekey=no
>    dpdaction=clear
>    keyexchange=ikev2
>    compress=no
>    dpddelay=35s
> 
>    
> ike=aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256!
>    esp=aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256!
> 
>    right=165.x.x.x
>    rightid=165.x.x.x
>    rightsubnet=0.0.0.0/0
>    rightauth=pubkey
> 
>    leftsourceip=%config
>    leftauth=pubkey
>    leftcert=zach.crt
>    leftfirewall=yes
>    left=%defaultroute
> 
>    auto=add
> 
> conn mgmt-passthrough
>    leftsubnet=10.99.99.0/24 # Replace with your LAN subnet
>    rightsubnet=10.99.99.0/24 # Replac with your LAND subnet
>    authby=never # No authentication necessary
>    type=pass # passthrough
>    auto=route # no need to ipsec up lan-passthrough
> 
> 
> conn wifi-passthrough
>    leftsubnet=10.88.88.0/24 # Replace with your LAN subnet
>    rightsubnet=10.88.88.0/24 # Replac with your LAND subnet
>    authby=never # No authentication necessary
>    type=pass # passthrough
>    auto=route # no need to ipsec up lan-passthrough
> 
> 

Reply via email to