[Swan] ipsec SA's up, no traffic routed? SOLVED

Frank frank at dio.demon.nl
Fri May 13 14:40:22 UTC 2016 

Hi,

Got it working, from centos7 libreswan to ciscoAsa with sourcenat:
(use this when your net (192.168.1.0/24) is already present and/or NATted in their network)

Example:
their internal subnet:
10.260.10.0/24

agree on ‘dummy’, unique, NAT network+ip in that network, not present yet on our/their network, for example : 10.40.83.13

192.168.1.0/24 ——   192.168.1.a | xxx.xxx.39.68 === internet ==== yyy.yyy.13.34 --— 10.260.10.0/24


key points:

have these nat rules in iptables:

-A POSTROUTING -s 192.168.1.0/24 -d 10.260.10.0/24 -o eth4 -j SNAT --to-source 10.40.83.13
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT


add the NAT ip  configured in the internal, incoming firewall interface (eth1) (our 192.168.1.0/24 network.
10.40.83.13/32

ipse.conf:
...
conn net1
     also=tunnel1
     leftsubnet=10.40.83.0/24
     leftsourceip=10.40.83.13
     rightsubnet=10.260.10.0/24
     rightsourceip=10.260.10.57
     auto=start
…..


rgds,

Frank.



> On 10 May 2016, at 22:37, Frank <frank at dio.demon.nl> wrote:
> 
> Hi,
> 
> That worked, thanks a bunch Nick!
> 
> Next up: the cisco w. sourcenat,
> 
> rgds,
> 
> Frank.
> 
>> On 10 May 2016, at 20:30, Nick Howitt <nick at howitts.co.uk> wrote:
>> 
>> Try:
>> iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
>> Nick
>> 
>> 
>> On 10/05/2016 19:25, Frank wrote:
>>> Hi,
>>> 
>>> The ping still gives the same:
>>> ping -I 192.168.1.2 192.168.211.2
>>> PING 192.168.211.2 (192.168.211.2) from 192.168.1.2 : 56(84) bytes of data.
>>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
>>> From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
>>> From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable
>>> From xxx.xxx.39.68 icmp_seq=4 Destination Host Unreachable
>>> 
>>> 
>>> iptables rules (simplified for now):
>>> 
>>> iptables -L -n -v
>>> Chain INPUT (policy ACCEPT 84987 packets, 4996K bytes)
>>>  pkts bytes target     prot opt in     out     source               destination
>>>    62  2988 DROP       tcp  --  eth4   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
>>>     0     0 DROP       tcp  --  eth4   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2200
>>> 
>>> Chain FORWARD (policy ACCEPT 576K packets, 34M bytes)
>>>  pkts bytes target     prot opt in     out     source               destination
>>>     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>> 2331K  270M ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>> 2044K  127M ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>>   154 12936 ACCEPT     all  --  eth4   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>>     0     0 ACCEPT     all  --  eth4   eth2    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
>>>   720 60480 ACCEPT     all  --  eth1   eth4    0.0.0.0/0            0.0.0.0/0
>>>   247 12844 ACCEPT     all  --  eth2   eth4    0.0.0.0/0            0.0.0.0/0
>>> 
>>> Chain OUTPUT (policy ACCEPT 143K packets, 8682K bytes)
>>>  pkts bytes target     prot opt in     out     source               destination
>>> 
>>> 
>>> iptables -t nat -L -n -v
>>> Chain PREROUTING (policy ACCEPT 576K packets, 35M bytes)
>>>  pkts bytes target     prot opt in     out     source               destination
>>> 
>>> Chain INPUT (policy ACCEPT 1744 packets, 310K bytes)
>>>  pkts bytes target     prot opt in     out     source               destination
>>> 
>>> Chain OUTPUT (policy ACCEPT 44171 packets, 2325K bytes)
>>>  pkts bytes target     prot opt in     out     source               destination
>>> 
>>> Chain POSTROUTING (policy ACCEPT 616K packets, 37M bytes)
>>>  pkts bytes target     prot opt in     out     source               destination
>>>    54  3843 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
>>>   690 56556 MASQUERADE  all  --  *      eth4    0.0.0.0/0            0.0.0.0/0
>>> 
>>> 
>>> arp -an:
>>> ? (zzz.zzz.13.34) at <incomplete> on eth4
>>> ? (192.168.211.12) at <incomplete> on eth4
>>> ? (192.168.2.12) at 02:00:6b:17:00:01 [ether] on eth2
>>> ? (192.168.211.2) at <incomplete> on eth4
>>> ? (192.168.1.12) at 02:00:0b:60:00:01 [ether] on eth1
>>> ? (xxx.xxx.39.78) at 00:00:5e:00:01:37 [ether] on eth4
>>> ? (xxx.xxx.39.76) at 00:1d:b5:2f:19:9f [ether] on eth4
>>> 
>>> tcpdump -v -n -i eth4 not port 22 | grep -v VRRP :
>>> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
>>> 20:17:05.232826 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>>> 20:17:05.925432 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>>> 20:17:06.204021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
>>> 20:17:06.825248 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>>> 20:17:07.204218 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
>>> 
>>> 
>>> Rgds,
>>> 
>>> Frank.
>>> 
>>> 
>>> 
>>> 
>>>> On 10 May 2016, at 17:45, Paul Wouters <paul at nohats.ca>
>>>>  wrote:
>>>> 
>>>> On Tue, 10 May 2016, Frank wrote:
>>>> 
>>>> 
>>>>> I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
>>>>> SA's seem up.
>>>>> 
>>>>> I can't get traffic to the other side (host on 192.168.211.2 or .12):
>>>>> 
>>>>> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
>>>>> 
>>>>> ping 192.168.211.2
>>>>> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
>>>>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
>>>>> 
>>>> Oddly this used your public ip as source, instead of the one you
>>>> specified with leftsourceip=192.168.1.2
>>>> 
>>>> does ping -I 192.168.1.2 192.168.211.2  work?
>>>> 
>>>> 
>>>>> ip route:
>>>>> default via xxx.xxx.39.78 dev eth4
>>>>> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2
>>>>> 192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.2
>>>>> 192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.2
>>>>> 192.168.211.0/24 dev eth4  scope link  src 192.168.1.2
>>>>> 
>>>> It's there, so why is ping using the wrong source ip?
>>>> 
>>>> Paul
>>>> 
>>> _______________________________________________
>>> Swan mailing list
>>> 
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list