[strongSwan] Masquerade iptables statements override strongswan policies

readme Sat, 02 Apr 2022 15:01:41 -0700

Hi,

I have strongSwan running on a raspberry pi that has ipsec connections to
an OpenBSD iked gateway and it is working well. However, clients on the 
network behind the pi seem to have issues sending traffic over tunnels 
unless I remove my masquerading iptables configuration; specifically, this
one:


 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination         
 MASQUERADE  all  --  anywhere             anywhere           

Without this entry I'm seeing packets sent upstream outside of the tunnel.

In ASCII art, I'm trying to achieve this fairly standard configuration:

+@@@@@@@@@@+
@ Internet @
+@@@@@@@@@@+
     |
     | 0/0 route 
     |
wlan1:192.168.31.26 (DHCP assigned)
 +----+                                  +-------+
 |swan|~~~~~~~~~~~~~~ipsec tunnel~~~~~~~~|openbsd|
 +----+                                  +-------+     
eth0:10.254.223.1/25                em0:100.64.1.92
wlan0:10.254.223.129/25             lan:10.254.255.1/24

When I start strongSwan without any NAT rules, I'm able to ping from clients
behind the pi device (swan: 10.254.223.128/25, etc.) to 10.254.255.1, but
default route traffic gets dropped from the upstream Internet device (as it
is RFC1918 space and filtered).

Are there specific NAT statements that need to be in place as an exception
to the traffic that will be encapsulated by strongSwan and sent to the 
remote peer?

Any help is appreciated; thank you very much in advance.


# ip xfrm policy
 
src 10.254.223.0/24 dst 192.168.72.0/22 
        dir out priority 376447 
        tmpl src 192.168.31.26 dst 100.64.1.92
                proto esp spi 0xe112339a reqid 1 mode tunnel
src 10.254.223.0/24 dst 10.254.255.0/24 
        dir out priority 375423 
        tmpl src 192.168.31.26 dst 100.64.1.92
                proto esp spi 0xe112339a reqid 1 mode tunnel
src 10.254.223.0/24 dst 10.253.255.0/24 
        dir out priority 375423 
        tmpl src 192.168.31.26 dst 100.64.1.92
                proto esp spi 0xe112339a reqid 1 mode tunnel
src 192.168.72.0/22 dst 10.254.223.0/24 
        dir fwd priority 376447 
        tmpl src 100.64.1.92 dst 192.168.31.26
                proto esp reqid 1 mode tunnel
src 192.168.72.0/22 dst 10.254.223.0/24 
        dir in priority 376447 
        tmpl src 100.64.1.92 dst 192.168.31.26
                proto esp reqid 1 mode tunnel
src 10.254.255.0/24 dst 10.254.223.0/24 
        dir fwd priority 375423 
        tmpl src 100.64.1.92 dst 192.168.31.26
                proto esp reqid 1 mode tunnel
src 10.254.255.0/24 dst 10.254.223.0/24 
        dir in priority 375423 
        tmpl src 100.64.1.92 dst 192.168.31.26
                proto esp reqid 1 mode tunnel
src 10.253.255.0/24 dst 10.254.223.0/24 
        dir fwd priority 375423 
        tmpl src 100.64.1.92 dst 192.168.31.26
                proto esp reqid 1 mode tunnel
src 10.253.255.0/24 dst 10.254.223.0/24 
        dir in priority 375423 
        tmpl src 100.64.1.92 dst 192.168.31.26
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src ::/0 dst ::/0 
        socket in priority 0 
src ::/0 dst ::/0 
        socket out priority 0 
src ::/0 dst ::/0 
        socket in priority 0 
src ::/0 dst ::/0 
        socket out priority 0 


# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       udp  --  anywhere             10.254.223.129       udp dpt:domain 
to:127.0.0.1:53
DNAT       tcp  --  anywhere             10.254.223.129       tcp dpt:domain 
to:127.0.0.1:53
DNAT       udp  --  anywhere             10.254.223.1         udp dpt:domain 
to:127.0.0.1:53
DNAT       tcp  --  anywhere             10.254.223.1         tcp dpt:domain 
to:127.0.0.1:53

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            


# cat /etc/ipsec.conf

config setup
        charondebug="all"
        uniqueids=yes

conn openbsd
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret
    left=%any4
    leftsubnet=10.254.223.0/24
    leftauth=secret
    leftid=swan.example.com
    leftfirewall=yes
    right=100.64.1.92
    rightsubnet=10.253.255.0/24,10.254.255.0/24,192.168.72.0/22
        rightid=openbsd.example.com
        rightauth=secret
        ike=aes256-sha512-prfsha512-ecp521
    esp=aes256-sha512-prfsha512-ecp521
        ikelifetime=4h
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart


# cat /var/log/charon_debug.log 

Sat, 2022-04-02, 16:32:40 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, 
Linux 5.10.103-v7+, armv7l)
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'aes': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'rc2': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'sha2': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'sha1': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'md5': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'mgf1': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'random': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'nonce': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'x509': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'revocation': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'constraints': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pubkey': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs1': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs7': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs8': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs12': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pgp': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'dnskey': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'sshkey': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pem': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'openssl': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'fips-prf': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'gmp': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'agent': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'xcbc': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'hmac': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'gcm': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'drbg': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'attr': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'kernel-netlink': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'resolve': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'socket-default': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'connmark': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'stroke': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'updown': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'eap-mschapv2': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'xauth-generic': loaded successfully
Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'counters': loaded successfully
Sat, 2022-04-02, 16:32:40 00[KNL] known interfaces and IP addresses:
Sat, 2022-04-02, 16:32:40 00[KNL]   lo
Sat, 2022-04-02, 16:32:40 00[KNL]     127.0.0.1
Sat, 2022-04-02, 16:32:40 00[KNL]     ::1
Sat, 2022-04-02, 16:32:40 00[KNL]   eth0
Sat, 2022-04-02, 16:32:40 00[KNL]     10.254.223.1
Sat, 2022-04-02, 16:32:40 00[KNL]   wlan0
Sat, 2022-04-02, 16:32:40 00[KNL]     10.254.223.129
Sat, 2022-04-02, 16:32:40 00[KNL]   wlan1
Sat, 2022-04-02, 16:32:40 00[KNL]     192.168.31.26
Sat, 2022-04-02, 16:32:40 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has 
unmet dependency: PUBKEY:BLISS
Sat, 2022-04-02, 16:32:40 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet 
dependency: PUBKEY:DSA
Sat, 2022-04-02, 16:32:40 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet 
dependency: PRIVKEY:DSA
Sat, 2022-04-02, 16:32:40 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has 
unmet dependency: PRIVKEY:BLISS
Sat, 2022-04-02, 16:32:40 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 
'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Sat, 2022-04-02, 16:32:40 00[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts'
Sat, 2022-04-02, 16:32:40 00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'
Sat, 2022-04-02, 16:32:40 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Sat, 2022-04-02, 16:32:40 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Sat, 2022-04-02, 16:32:40 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sat, 2022-04-02, 16:32:40 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sat, 2022-04-02, 16:32:40 00[CFG]   loaded IKE secret for "swan.example.com" 
"openbsd.example.com"
Sat, 2022-04-02, 16:32:40 00[CFG]   loaded IKE secret for "swan.example.com" 
"openbsd.example.com"
Sat, 2022-04-02, 16:32:40 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 
mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 
pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr 
kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 
xauth-generic counters
Sat, 2022-04-02, 16:32:40 00[LIB] unable to load 5 plugin features (5 due to 
unmet dependencies)
Sat, 2022-04-02, 16:32:40 00[LIB] dropped capabilities, running as uid 0, gid 0
Sat, 2022-04-02, 16:32:40 00[JOB] spawning 16 worker threads
Sat, 2022-04-02, 16:32:40 01[LIB] created thread 01 [1714]
Sat, 2022-04-02, 16:32:40 02[LIB] created thread 02 [1715]
Sat, 2022-04-02, 16:32:40 03[LIB] created thread 03 [1716]
Sat, 2022-04-02, 16:32:40 04[LIB] created thread 04 [1717]
Sat, 2022-04-02, 16:32:40 05[LIB] created thread 05 [1718]
Sat, 2022-04-02, 16:32:40 06[LIB] created thread 06 [1719]
Sat, 2022-04-02, 16:32:40 07[LIB] created thread 07 [1720]
Sat, 2022-04-02, 16:32:40 08[LIB] created thread 08 [1721]
Sat, 2022-04-02, 16:32:40 09[LIB] created thread 09 [1722]
Sat, 2022-04-02, 16:32:40 10[LIB] created thread 10 [1723]
Sat, 2022-04-02, 16:32:40 11[LIB] created thread 11 [1724]
Sat, 2022-04-02, 16:32:40 12[LIB] created thread 12 [1725]
Sat, 2022-04-02, 16:32:40 13[LIB] created thread 13 [1726]
Sat, 2022-04-02, 16:32:40 14[LIB] created thread 14 [1727]
Sat, 2022-04-02, 16:32:40 15[LIB] created thread 15 [1728]
Sat, 2022-04-02, 16:32:40 16[LIB] created thread 16 [1729]
Sat, 2022-04-02, 16:32:40 06[CFG] received stroke: add connection 'openbsd'
Sat, 2022-04-02, 16:32:40 06[CFG] conn openbsd
Sat, 2022-04-02, 16:32:40 06[CFG]   left=%any4
Sat, 2022-04-02, 16:32:40 06[CFG]   leftsubnet=10.254.223.0/24
Sat, 2022-04-02, 16:32:40 06[CFG]   leftauth=secret
Sat, 2022-04-02, 16:32:40 06[CFG]   leftid=swan.example.com
Sat, 2022-04-02, 16:32:40 06[CFG]   leftupdown=ipsec _updown iptables
Sat, 2022-04-02, 16:32:40 06[CFG]   right=100.64.1.92
Sat, 2022-04-02, 16:32:40 06[CFG]   
rightsubnet=10.253.255.0/24,10.254.255.0/24,192.168.72.0/22
Sat, 2022-04-02, 16:32:40 06[CFG]   rightauth=secret
Sat, 2022-04-02, 16:32:40 06[CFG]   rightid=openbsd.example.com
Sat, 2022-04-02, 16:32:40 06[CFG]   ike=aes256-sha512-prfsha512-ecp521
Sat, 2022-04-02, 16:32:40 06[CFG]   esp=aes256-sha512-prfsha512-ecp521
Sat, 2022-04-02, 16:32:40 06[CFG]   dpddelay=30
Sat, 2022-04-02, 16:32:40 06[CFG]   dpdtimeout=120
Sat, 2022-04-02, 16:32:40 06[CFG]   dpdaction=3
Sat, 2022-04-02, 16:32:40 06[CFG]   sha256_96=no
Sat, 2022-04-02, 16:32:40 06[CFG]   mediation=no
Sat, 2022-04-02, 16:32:40 06[CFG]   keyexchange=ikev2
Sat, 2022-04-02, 16:32:40 06[KNL] 100.64.1.92 is not a local address or the 
interface is down
Sat, 2022-04-02, 16:32:40 06[CFG] added configuration 'openbsd'
Sat, 2022-04-02, 16:32:40 07[CFG] received stroke: initiate 'openbsd'
Sat, 2022-04-02, 16:32:40 07[KNL] <openbsd|1> using 192.168.31.26 as address to 
reach 100.64.1.92/32
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_VENDOR task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_INIT task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_NATD task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_CERT_PRE task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_AUTH task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_CERT_POST task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_CONFIG task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_AUTH_LIFETIME task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_MOBIKE task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_ME task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing CHILD_CREATE task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating new tasks
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_VENDOR task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_INIT task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_NATD task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_CERT_PRE task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_ME task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_AUTH task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_CERT_POST task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_CONFIG task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating CHILD_CREATE task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_AUTH_LIFETIME 
task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1>   activating IKE_MOBIKE task
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> initiating IKE_SA openbsd[1] to 
100.64.1.92
Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> IKE_SA openbsd[1] state change: 
CREATED => CONNECTING
Sat, 2022-04-02, 16:32:40 07[CFG] <openbsd|1> configured proposals: 
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
 
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Sat, 2022-04-02, 16:32:40 07[CFG] <openbsd|1> sending supported signature hash 
algorithms: sha256 sha384 sha512 identity
Sat, 2022-04-02, 16:32:40 07[ENC] <openbsd|1> generating IKE_SA_INIT request 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat, 2022-04-02, 16:32:40 07[NET] <openbsd|1> sending packet: from 
192.168.31.26[500] to 100.64.1.92[500] (880 bytes)
Sat, 2022-04-02, 16:32:40 09[NET] <openbsd|1> received packet: from 
100.64.1.92[500] to 192.168.31.26[500] (322 bytes)
Sat, 2022-04-02, 16:32:40 09[ENC] <openbsd|1> parsed IKE_SA_INIT response 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> received 
SIGNATURE_HASH_ALGORITHMS notify
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> selecting proposal:
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1>   proposal matches
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> received proposals: 
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> configured proposals: 
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
 
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> received supported signature hash 
algorithms: sha256 sha384 sha512
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> local host is behind NAT, sending 
keep alives
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> reinitiating already active tasks
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1>   IKE_CERT_PRE task
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1>   IKE_AUTH task
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> authentication of 
'swan.example.com' (myself) with pre-shared key
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> successfully created shared key 
MAC
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> proposing traffic selectors for 
us:
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1>  10.254.223.0/24
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> proposing traffic selectors for 
other:
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1>  10.253.255.0/24
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1>  10.254.255.0/24
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1>  192.168.72.0/22
Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> configured proposals: 
ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ,
 ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256
Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> establishing CHILD_SA openbsd{1}
Sat, 2022-04-02, 16:32:40 09[KNL] <openbsd|1> got SPI cda16a87
Sat, 2022-04-02, 16:32:40 09[ENC] <openbsd|1> generating IKE_AUTH request 1 [ 
IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sat, 2022-04-02, 16:32:40 09[NET] <openbsd|1> sending packet: from 
192.168.31.26[4500] to 100.64.1.92[4500] (544 bytes)
Sat, 2022-04-02, 16:32:40 10[NET] <openbsd|1> received packet: from 
100.64.1.92[4500] to 192.168.31.26[4500] (336 bytes)
Sat, 2022-04-02, 16:32:40 10[ENC] <openbsd|1> parsed IKE_AUTH response 1 [ IDr 
AUTH N(MOBIKE_SUP) SA TSi TSr ]
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> authentication of 
'openbsd.example.com' with pre-shared key successful
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> IKE_SA openbsd[1] established 
between 192.168.31.26[swan.example.com]...100.64.1.92[openbsd.example.com]
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> IKE_SA openbsd[1] state change: 
CONNECTING => ESTABLISHED
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> scheduling reauthentication in 
13362s
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> maximum IKE_SA lifetime 13902s
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selecting proposal:
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>   proposal matches
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> received proposals: 
ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> configured proposals: 
ESP:AES_CBC_256/HMAC_SHA2_512_256/ECP_521/NO_EXT_SEQ, 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ,
 ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selected proposal: 
ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selecting traffic selectors for 
us:
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.254.223.0/24, 
received: 10.254.223.0/24 => match: 10.254.223.0/24
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selecting traffic selectors for 
other:
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.253.255.0/24, 
received: 192.168.72.0/22 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.253.255.0/24, 
received: 10.253.255.0/24 => match: 10.253.255.0/24
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.253.255.0/24, 
received: 10.254.255.0/24 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.253.255.0/24, 
received: 10.255.255.0/24 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.254.255.0/24, 
received: 192.168.72.0/22 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.254.255.0/24, 
received: 10.253.255.0/24 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.254.255.0/24, 
received: 10.254.255.0/24 => match: 10.254.255.0/24
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 10.254.255.0/24, 
received: 10.255.255.0/24 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 192.168.72.0/22, 
received: 192.168.72.0/22 => match: 192.168.72.0/22
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 192.168.72.0/22, 
received: 10.253.255.0/24 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 192.168.72.0/22, 
received: 10.254.255.0/24 => no match
Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1>  config: 192.168.72.0/22, 
received: 10.255.255.0/24 => no match
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> CHILD_SA openbsd{1} state change: 
CREATED => INSTALLING
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1>   using AES_CBC for encryption
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1>   using HMAC_SHA2_512_256 for 
integrity
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> adding inbound ESP SA
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1>   SPI 0xcda16a87, src 100.64.1.92 
dst 192.168.31.26
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding SAD entry with SPI 
cda16a87 and reqid {1}
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   using encryption algorithm 
AES_CBC with key size 256
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   using integrity algorithm 
HMAC_SHA2_512_256 with key size 512
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   using replay window of 32 
packets
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   HW offload: no
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> adding outbound ESP SA
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1>   SPI 0x7e5fb1a3, src 
192.168.31.26 dst 100.64.1.92
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding SAD entry with SPI 
7e5fb1a3 and reqid {1}
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   using encryption algorithm 
AES_CBC with key size 256
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   using integrity algorithm 
HMAC_SHA2_512_256 with key size 512
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   using replay window of 0 packets
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1>   HW offload: no
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.253.255.0/24 === 
10.254.223.0/24 in [priority 375423, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.253.255.0/24 === 
10.254.223.0/24 fwd [priority 375423, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.223.0/24 === 
10.253.255.0/24 out [priority 375423, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting a local address in 
traffic selector 10.254.223.0/24
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using host 10.254.223.1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and 
wlan1 as dev to reach 100.64.1.92/32
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> installing route: 10.253.255.0/24 
via 192.168.28.1 src 10.254.223.1 dev wlan1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface index for wlan1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.255.0/24 === 
10.254.223.0/24 in [priority 375423, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.255.0/24 === 
10.254.223.0/24 fwd [priority 375423, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.223.0/24 === 
10.254.255.0/24 out [priority 375423, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting a local address in 
traffic selector 10.254.223.0/24
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using host 10.254.223.1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and 
wlan1 as dev to reach 100.64.1.92/32
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> installing route: 10.254.255.0/24 
via 192.168.28.1 src 10.254.223.1 dev wlan1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface index for wlan1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 192.168.72.0/22 === 
10.254.223.0/24 in [priority 376447, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 192.168.72.0/22 === 
10.254.223.0/24 fwd [priority 376447, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.223.0/24 === 
192.168.72.0/22 out [priority 376447, refcount 1]
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting a local address in 
traffic selector 10.254.223.0/24
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using host 10.254.223.1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and 
wlan1 as dev to reach 100.64.1.92/32
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> installing route: 192.168.72.0/22 
via 192.168.28.1 src 10.254.223.1 dev wlan1
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface index for wlan1
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> CHILD_SA openbsd{1} established 
with SPIs cda16a87_i 7e5fb1a3_o and TS 10.254.223.0/24 === 10.253.255.0/24 
10.254.255.0/24 192.168.72.0/22
Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> CHILD_SA openbsd{1} state change: 
INSTALLING => INSTALLED
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and 
wlan1 as dev to reach 100.64.1.92/32
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and 
wlan1 as dev to reach 100.64.1.92/32
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4
Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and 
wlan1 as dev to reach 100.64.1.92/32
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> peer supports MOBIKE
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> activating new tasks
Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> nothing to initiate

[strongSwan] Masquerade iptables statements override strongswan policies

Reply via email to