You need to accepts ESP packets in *filter INPUT (-p esp).

On 12.03.2018 06:01, Brenden wrote:
> I'm guessing my NAT rules may be messed up, any ideas what might be wrong?
> 
> 
> # iptables-save
> # Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018
> *nat
> :PREROUTING ACCEPT [14:1916]
> :INPUT ACCEPT [14:1916]
> :OUTPUT ACCEPT [37:2220]
> :POSTROUTING ACCEPT [18:1080]
> -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 1.2.3.112/24 <http://1.2.3.112/24> -o ens33 -m policy --dir 
> out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 1.2.3.112/24 <http://1.2.3.112/24> -o ens33 -j MASQUERADE
> -A POSTROUTING -s 1.2.3.112/24 <http://1.2.3.112/24> -o ens33 -m policy --dir 
> out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 1.2.3.112/24 <http://1.2.3.112/24> -o ens33 -j MASQUERADE
> COMMIT
> # Completed on Mon Mar 12 14:22:04 2018
> # Generated by iptables-save v1.6.0 on Mon Mar 12 14:22:04 2018
> *filter
> :INPUT ACCEPT [74:14670]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [215:33304]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> -A FORWARD -s 1.2.3.112/24 <http://1.2.3.112/24> -m policy --dir in --pol 
> ipsec --proto esp -j ACCEPT
> -A FORWARD -d 1.2.3.112/24 <http://1.2.3.112/24> -m policy --dir out --pol 
> ipsec --proto esp -j ACCEPT
> -A FORWARD -s 1.2.3.112/24 <http://1.2.3.112/24> -m policy --dir in --pol 
> ipsec --proto esp -j ACCEPT
> -A FORWARD -d 1.2.3.112/24 <http://1.2.3.112/24> -m policy --dir out --pol 
> ipsec --proto esp -j ACCEPT
> COMMIT
> # Completed on Mon Mar 12 14:22:04 2018
> 
> 
> On 8 March 2018 at 20:34, Noel Kuntze 
> <noel.kuntze+strongswan-users-ml@thermi.consulting 
> <mailto:noel.kuntze+strongswan-users-ml@thermi.consulting>> wrote:
> 
>     Hi,
> 
>     Your iptables rules in the *nat table probably cause your issue.
> 
>     Take a look at the article about forwarding and split tunneling[1]. And 
> stop using `iptables -L`, it doesn't show you everything. Always use 
> `iptables-save` or `iptables-save -c` instead.
> 
>     Kind regards
> 
>     Noel
> 
>     [1] 
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems
>  
> <https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems>
> 
>     On 07.03.2018 05:37, Brenden wrote:
>     > Hi All,
>     >
>     > I'm attempting to run StrongSwan on Ubuntu 16.04.3 LTS.
>     >
>     > IPs chanaged for privacy:
>     >
>     > My server IP 110.0.0.110
>     > My subnet is 110.0.0.0/25 <http://110.0.0.0/25>
>     > Internal IP: 192.168.50.214
>     > Remote Peers: 1.2.3.111 (pri) / 1.2.3.112 (sec)
>     >
>     > The primary connection is currently not configured (its still running on
>     > our hardware FW) but the secondary one has been re-configured with the
>     > other peer and connection successfully establishes.
>     >
>     > They can see our successful connection is up but can't see any traffic
>     > being sent from our side.
>     >
>     > I am running HAPROXY on my strongswans server which forwards traffic 
> from
>     > 192.168.50.214:3333 <http://192.168.50.214:3333> to 10.4.34.70:3333 
> <http://10.4.34.70:3333> (via IPSEC tunnel). I can't ping,
>     > telnet, curl or do anything against this host.
>     >
>     > I have this working in a legacy (undocumented environment on a Fortigate
>     > FW), but that's being replaced.
>     >
>     > # ipsec statusall
>     > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-109-generic,
>     > x86_64):
>     >   uptime: 51 minutes, since Mar 07 13:21:13 2018
>     >   malloc: sbrk 2588672, mmap 0, used 588944, free 1999728
>     >   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>     > scheduled: 7
>     >   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
>     > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>     > dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
>     > kernel-netlink resolve socket-default connmark farp stroke updown
>     > eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
>     > eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
>     > eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>     > xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
>     > tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
>     > Listening IP addresses:
>     >   110.0.0.110
>     >   192.168.50.214
>     > Connections:
>     >      ipsec-pri:  110.0.0.110...1.2.3.111  IKEv1, dpddelay=30s
>     >      ipsec-pri:   local:  uses pre-shared key authentication
>     >      ipsec-pri:   remote: uses pre-shared key authentication
>     >      ipsec-pri:   child:  110.0.0.0/25 <http://110.0.0.0/25> === 
> 10.5.35.0/24 <http://10.5.35.0/24> TUNNEL,
>     > dpdaction=restart
>     >      ipsec-sec:  110.0.0.110...1.2.3.112  IKEv1, dpddelay=30s
>     >      ipsec-sec:   local:  [110.0.0.110] uses pre-shared key 
> authentication
>     >      ipsec-sec:   remote: uses pre-shared key authentication
>     >      ipsec-sec:   child:  110.0.0.0/25 <http://110.0.0.0/25> === 
> 10.4.34.70/32 <http://10.4.34.70/32> 10.4.34.71/32 <http://10.4.34.71/32>
>     > TUNNEL, dpdaction=restart
>     > Security Associations (1 up, 0 connecting):
>     >      ipsec-sec[2]: ESTABLISHED 51 minutes ago,
>     > 110.0.0.110[110.0.0.110]...1.2.3.112[1.2.3.112]
>     >      ipsec-sec[2]: IKEv1 SPIs: ea2ac47190a16341_i* 6f0f64f9d22fd5c2_r,
>     > pre-shared key reauthentication in 22 hours
>     >      ipsec-sec[2]: IKE proposal:
>     > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>     >      ipsec-sec{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc381424_i
>     > 15dd64ce_o
>     >      ipsec-sec{2}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 10140 bytes_o (169
>     > pkts, 1s ago), rekeying in 46 minutes
>     >      ipsec-sec{2}:   110.0.0.0/25 <http://110.0.0.0/25> === 
> 10.4.34.70/32 <http://10.4.34.70/32>
>     >
>     >
>     > /etc/ipsec.conf file:
>     > ##################################
>     > conn ipsec-pri
>     >         ikelifetime=86400s
>     >         authby=secret
>     >         auto=start
>     >         keyexchange=ikev1
>     >         type=tunnel
>     >         left=110.0.0.110
>     >         leftid=%any
>     >         leftsubnet=110.0.0.0/25 <http://110.0.0.0/25>
>     >         right=1.2.3.111
>     >         rightid=%any
>     >         rightsubnet=10.5.35.0/24 <http://10.5.35.0/24>
>     >         ike=3des-sha1-modp1024
>     >         esp=3des-sha1-modp1024
>     >         dpdaction=restart
>     >
>     >
>     > conn ipsec-sec
>     >         ikelifetime=86400s
>     >         authby=secret
>     >         auto=start
>     >         keyexchange=ikev1
>     >         type=tunnel
>     >         left=110.0.0.110
>     >         leftid=%any
>     >         leftsubnet=110.0.0.0/25 <http://110.0.0.0/25>
>     >         right==1.2.3.112
>     >         rightid=%any
>     >         rightsubnet=10.4.34.70/32,10.4.34.71/32 
> <http://10.4.34.70/32,10.4.34.71/32>
>     >         ike=3des-sha1-modp1024
>     >         esp=3des-sha1-modp1024
>     >         dpdaction=restart
>     > ##################################
>     >
>     > ~# iptables -L
>     > Chain INPUT (policy ACCEPT)
>     > target     prot opt source               destination
>     >
>     > Chain FORWARD (policy ACCEPT)
>     > target     prot opt source               destination
>     >
>     > Chain OUTPUT (policy ACCEPT)
>     > target     prot opt source               destination
>     >
>     > I've enabled forwarding in /etc/sysctl.conf
>     > net.ipv4.ip_forward=1
>     >
>     >
>     > I've been back and forth on this for a few months but just really stuck.
>     >
>     > Any ideas on where i'm going wrong? I hope I've included enough info to
>     > get pointed in the right direction.
>     >
> 
> 

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to