[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Strongswan NAT problem
From: Noel Kuntze <noel () familie-kuntze ! de>
Date: 2015-08-06 2:44:36
Message-ID: 55C2CA14.6040602 () familie-kuntze ! de
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Josh,
The tunnel only permits traffic between the PFsense box and 192.168.150.0/24, \
<http://192.168.150.0/24> so of course it doesn't work.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 05.08.2015 um 16:51 schrieb Josh Madden:
> To anyone who can offer some assistance:
>
> I have a pfsense appliance establishing an IPSEC tunnel to an Amazon AWS EC2 Ubuntu \
> box running StrongSwan 5.1.2. The goal is for LAN users of the pfsense router \
> appliance to have all their internet traffic tunneled to the AWS EC2 box and then \
> out to the internet. A system on the LAN of the pfsense box can ping the IP of the \
> Amazon EC2 box. The Amazon EC2 box can also ping a system on the pfsense LAN. When \
> a system on the pfsense LAN tries to send traffic to the internet, I see the \
> traffic show up in a running tcpdump on the Amazon EC2 box, but the traffic seems \
> to be getting dropped. Watching logs from iptables, i can see that the traffic from \
> the IPSEC tunnel arrives at the PREROUTING table with its source address set to the \
> pfsense LAN. I've tried adding a number of iptables rules with little success. Any \
> assistance is greatly appreciated. Below is some configuration data:
> pfsense:
> LAN subnet: 192.168.150.0/24 <http://192.168.150.0/24>
>
> pfsense ipsec configuration:
> key exchange version: v2
> internet protocol: ipv4
> interface: WAN
> remote gateway: <public IP of Amazon EC2 box>
> authentication method: mutual psk
> my identifer: distinguished name: <DN>
> peer identifier: distinguished name: <DN>
> pre-shared key: *********************
> phase 1:
> encryption algorithm: aes 256
> hash algorithm: sha 256
> dh key group: 14
> lifetime: 28800 seconds
> advanced options:
> NAT traversal: auto
>
> 35x phase2 entries, one for each subnet to be tunneled out to the internet:
> protocol: esp
>
> pfsense firewall rules are set to allow most traffic (it's behind an IDS and \
> firewall -- no blocked packets observed)
> strongswan ipsec configuration:
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
> cachecrls=yes
> uniqueids=yes
> charondebug="ike 0, knl 0, cfg 0, net 0, enc 0"
>
> conn %default
> ikelifetime`m
> keylife m
> rekeymargin m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> esp®s256-sha256
>
> conn <DN>
> left=<pfsense public IP>
> leftid=<DN>
> leftfirewall=yes
> leftsubnet2.168.150.0/24 <http://192.168.150.0/24>
> right=<AWS EC2 host IP>
> rightfirewall=yes
> rightid=<DNS>
> autod
>
>
>
> AWS EC2 iptables
> # Generated by iptables-save v1.4.21 on Wed Aug 5 13:43:07 2015
> *nat
> > PREROUTING ACCEPT [382:30387]
> > INPUT ACCEPT [1:468]
> > OUTPUT ACCEPT [4:248]
> > POSTROUTING ACCEPT [15:842]
> -N LOGGING
> -N IPSEC_UNWRAPPED
> -A PREROUTING -s 192.168.150.0/24 <http://192.168.150.0/24> -j IPSEC_UNWRAPPED
>
> -I INPUT 1 -j LOG --log-prefix "packet enter NAT-INPUT "
> -I OUTPUT 1 -j LOG --log-prefix "packet enter NAT-OUTPUT "
>
> -I POSTROUTING 1 -j LOG --log-prefix "packet enter POSTROUTING "
> -A IPSEC_UNWRAPPED -j LOG --log-prefix "enter IPSEC_UNWRAPPED "
> -A IPSEC_UNWRAPPED -s 192.168.150.0/24 <http://192.168.150.0/24> -j ACCEPT
>
> COMMIT
> # Completed on Wed Aug 5 13:43:07 2015
> # Generated by iptables-save v1.4.21 on Wed Aug 5 13:43:07 2015
> *filter
> > INPUT ACCEPT [324:39841]
> > FORWARD ACCEPT [8:418]
> > OUTPUT ACCEPT [301:64284]
> > LOGGING - [0:0]
> -A INPUT -s <pfsense public ip>/32 -d <amazon public ip>/32 -p udp --dport 4500 -j \
> ACCEPT
> -A INPUT -s<pfsense public ip> -d <amazon public ip>/32 -p tcp --dport 22 -j ACCEPT
> -A INPUT -d <amazon public ip> -p icmp -j ACCEPT
> -A INPUT -j LOGGING
> -A FORWARD -j LOG --log-prefix "enter forward "
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -j LOGGING
> -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public ip>/32 -p \
> udp --sport 4500 -j ACCEPT
> -A OUTPUT -s 172.31.17.50/32 <http://172.31.17.50/32> -d <pfsense public ip>/32 -p \
> tcp --sport 22 -j ACCEPT
> -A OUTPUT -p icmp -d 8.8.8.8 -j LOG --log-prefix "icmp to google "
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVwsoUAAoJEDg5KY9j7GZYJggP/iFvPmtFC1McMWzeUWIwad7o
SJ3XpmATEvrViTjFWTvheaKYJBPlw8qM2FuAITM4JadW2DbYSB5SlszUH3I1QdfS
5l6SJRdv6iBxYajN8wX4ATbx4ug3F+lf9gR8ZHfcqzeR0s8Ku1CuHrqE2/41210G
uR9Aj59yweXfxfZxkmszly2n7H3/YeyQM5R98kJIumFCwhW5Hn8Lb4gQa4e21VyH
eU5X2enCgtLe9CzzKDlGH1f81jIaEmPXOT849loajZ119xr+YkO2FobIgh5ZePC4
XLcPVMgqi8ZK9EKlVtkbhNN3MtcHHzms/FwZsbRzqBMPEPctkeUjGpS89UCtY3B0
wQMIyJ126L9MCkt0vefdWNCFwIlIICiV19Yx6so58/sMDhjzpXWgnydUL5Xr3kde
Ssn/vgle7MgmXHrPM+qaj1OKvz+9HpOclMNxFcSPsvgd91tBYFyoGZn36YYYF7XD
R6t8SoWk0nBrXkF8cHzYFKPI5ZH/T1pNQmkLLEczLkW+2s41uZ+QlFe2WBEeGQqu
01vY2kRszk4+zuGv7Eehpvi8EFa1ixq5Qx+NYzunatIv6neRFghRmxTdJUlqMdgK
pvpVj0ziZBL24vfGg7JLb1vtgiH757US+LjtacUbfGMIwjtq5dXiVEQfa9j0fEaK
4x83tDm5oY7+DXUKNugq
=yWzh
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic