[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Strongswan NAT problem
From:       Noel Kuntze <noel () familie-kuntze ! de>
Date:       2015-08-06 2:44:36
Message-ID: 55C2CA14.6040602 () familie-kuntze ! de
[Download RAW message or body]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Josh,

The tunnel only permits traffic between the PFsense box and 192.168.150.0/24, \
<http://192.168.150.0/24> so of course it doesn't work.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 05.08.2015 um 16:51 schrieb Josh Madden:
> To anyone who can offer some assistance:
> 
> I have a pfsense appliance establishing an IPSEC tunnel to an Amazon AWS EC2 Ubuntu \
> box running StrongSwan 5.1.2. The goal is for LAN users of the pfsense router \
> appliance to have all their internet traffic tunneled to the AWS EC2 box and then \
> out to the internet. A system on the LAN of the pfsense box can ping the IP of the \
> Amazon EC2 box. The Amazon EC2 box can also ping a system on the pfsense LAN. When \
> a system on the pfsense LAN tries to send traffic to the internet, I see the \
> traffic show up in a running tcpdump on the Amazon EC2 box, but the traffic seems \
> to be getting dropped. Watching logs from iptables, i can see that the traffic from \
> the IPSEC tunnel arrives at the PREROUTING table with its source address set to the \
> pfsense LAN. I've tried adding a number of iptables rules with little success. Any \
> assistance is greatly appreciated. Below is some configuration data: 
> pfsense:
> LAN subnet: 192.168.150.0/24 <http://192.168.150.0/24>
> 
> pfsense ipsec configuration:
> key exchange version: v2
> internet protocol: ipv4
> interface: WAN
> remote gateway: <public IP of Amazon EC2 box>
> authentication method: mutual psk
> my identifer: distinguished name: <DN>
> peer identifier: distinguished name: <DN>
> pre-shared key: *********************
> phase 1:
> encryption algorithm: aes 256
> hash algorithm: sha 256
> dh key group: 14
> lifetime: 28800 seconds
> advanced options:
> NAT traversal: auto
> 
> 35x phase2 entries, one for each subnet to be tunneled out to the internet:
> protocol: esp
> 
> pfsense firewall rules are set to allow most traffic (it's behind an IDS and \
> firewall -- no blocked packets observed) 
> strongswan ipsec configuration:
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
> cachecrls=yes
> uniqueids=yes
> charondebug="ike 0, knl 0, cfg 0, net 0, enc 0"
> 
> conn %default
> ikelifetime`m
> keylife m
> rekeymargin m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> esp®s256-sha256
> 
> conn <DN>
> left=<pfsense public IP>
> leftid=<DN>
> leftfirewall=yes
> leftsubnet2.168.150.0/24 <http://192.168.150.0/24>
> right=<AWS EC2 host IP>
> rightfirewall=yes
> rightid=<DNS>
> auto­d
> 
> 
> 
> AWS EC2 iptables
> # Generated by iptables-save v1.4.21 on Wed Aug  5 13:43:07 2015
> *nat
> > PREROUTING ACCEPT [382:30387]
> > INPUT ACCEPT [1:468]
> > OUTPUT ACCEPT [4:248]
> > POSTROUTING ACCEPT [15:842]
> -N LOGGING
> -N IPSEC_UNWRAPPED
> -A PREROUTING -s 192.168.150.0/24 <http://192.168.150.0/24> -j IPSEC_UNWRAPPED
> 
> -I INPUT 1 -j LOG --log-prefix "packet enter NAT-INPUT "
> -I OUTPUT 1 -j LOG --log-prefix "packet enter NAT-OUTPUT "
> 
> -I POSTROUTING 1 -j LOG --log-prefix "packet enter POSTROUTING "
> -A IPSEC_UNWRAPPED -j LOG --log-prefix "enter IPSEC_UNWRAPPED "
> -A IPSEC_UNWRAPPED -s 192.168.150.0/24 <http://192.168.150.0/24> -j ACCEPT
> 
> COMMIT
> # Completed on Wed Aug  5 13:43:07 2015
> # Generated by iptables-save v1.4.21 on Wed Aug  5 13:43:07 2015
> *filter
> > INPUT ACCEPT [324:39841]
> > FORWARD ACCEPT [8:418]
> > OUTPUT ACCEPT [301:64284]
> > LOGGING - [0:0]
> -A INPUT -s <pfsense public ip>/32 -d <amazon public ip>/32 -p udp --dport 4500 -j \
>                 ACCEPT
> -A INPUT -s<pfsense public ip> -d <amazon public ip>/32 -p tcp --dport 22 -j ACCEPT
> -A INPUT -d <amazon public ip> -p icmp -j ACCEPT
> -A INPUT -j LOGGING
> -A FORWARD -j LOG --log-prefix "enter forward "
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -j LOGGING
> -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public ip>/32 -p \
>                 udp --sport 4500 -j ACCEPT
> -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public ip>/32 -p \
>                 tcp --sport 22 -j ACCEPT
> -A OUTPUT -p icmp -d 8.8.8.8 -j LOG --log-prefix "icmp to google "
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVwsoUAAoJEDg5KY9j7GZYJggP/iFvPmtFC1McMWzeUWIwad7o
SJ3XpmATEvrViTjFWTvheaKYJBPlw8qM2FuAITM4JadW2DbYSB5SlszUH3I1QdfS
5l6SJRdv6iBxYajN8wX4ATbx4ug3F+lf9gR8ZHfcqzeR0s8Ku1CuHrqE2/41210G
uR9Aj59yweXfxfZxkmszly2n7H3/YeyQM5R98kJIumFCwhW5Hn8Lb4gQa4e21VyH
eU5X2enCgtLe9CzzKDlGH1f81jIaEmPXOT849loajZ119xr+YkO2FobIgh5ZePC4
XLcPVMgqi8ZK9EKlVtkbhNN3MtcHHzms/FwZsbRzqBMPEPctkeUjGpS89UCtY3B0
wQMIyJ126L9MCkt0vefdWNCFwIlIICiV19Yx6so58/sMDhjzpXWgnydUL5Xr3kde
Ssn/vgle7MgmXHrPM+qaj1OKvz+9HpOclMNxFcSPsvgd91tBYFyoGZn36YYYF7XD
R6t8SoWk0nBrXkF8cHzYFKPI5ZH/T1pNQmkLLEczLkW+2s41uZ+QlFe2WBEeGQqu
01vY2kRszk4+zuGv7Eehpvi8EFa1ixq5Qx+NYzunatIv6neRFghRmxTdJUlqMdgK
pvpVj0ziZBL24vfGg7JLb1vtgiH757US+LjtacUbfGMIwjtq5dXiVEQfa9j0fEaK
4x83tDm5oY7+DXUKNugq
=yWzh
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic