[Swan] ipsec SA's up, no traffic routed? SOLVED
Frank
frank at dio.demon.nl
Fri May 13 14:40:22 UTC 2016
Hi,
Got it working, from centos7 libreswan to ciscoAsa with sourcenat:
(use this when your net (192.168.1.0/24) is already present and/or NATted in their network)
Example:
their internal subnet:
10.260.10.0/24
agree on ‘dummy’, unique, NAT network+ip in that network, not present yet on our/their network, for example : 10.40.83.13
192.168.1.0/24 —— 192.168.1.a | xxx.xxx.39.68 === internet ==== yyy.yyy.13.34 --— 10.260.10.0/24
key points:
have these nat rules in iptables:
-A POSTROUTING -s 192.168.1.0/24 -d 10.260.10.0/24 -o eth4 -j SNAT --to-source 10.40.83.13
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
add the NAT ip configured in the internal, incoming firewall interface (eth1) (our 192.168.1.0/24 network.
10.40.83.13/32
ipse.conf:
...
conn net1
also=tunnel1
leftsubnet=10.40.83.0/24
leftsourceip=10.40.83.13
rightsubnet=10.260.10.0/24
rightsourceip=10.260.10.57
auto=start
…..
rgds,
Frank.
> On 10 May 2016, at 22:37, Frank <frank at dio.demon.nl> wrote:
>
> Hi,
>
> That worked, thanks a bunch Nick!
>
> Next up: the cisco w. sourcenat,
>
> rgds,
>
> Frank.
>
>> On 10 May 2016, at 20:30, Nick Howitt <nick at howitts.co.uk> wrote:
>>
>> Try:
>> iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
>> Nick
>>
>>
>> On 10/05/2016 19:25, Frank wrote:
>>> Hi,
>>>
>>> The ping still gives the same:
>>> ping -I 192.168.1.2 192.168.211.2
>>> PING 192.168.211.2 (192.168.211.2) from 192.168.1.2 : 56(84) bytes of data.
>>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
>>> From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
>>> From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable
>>> From xxx.xxx.39.68 icmp_seq=4 Destination Host Unreachable
>>>
>>>
>>> iptables rules (simplified for now):
>>>
>>> iptables -L -n -v
>>> Chain INPUT (policy ACCEPT 84987 packets, 4996K bytes)
>>> pkts bytes target prot opt in out source destination
>>> 62 2988 DROP tcp -- eth4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
>>> 0 0 DROP tcp -- eth4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2200
>>>
>>> Chain FORWARD (policy ACCEPT 576K packets, 34M bytes)
>>> pkts bytes target prot opt in out source destination
>>> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>> 2331K 270M ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>> 2044K 127M ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>> 154 12936 ACCEPT all -- eth4 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>> 0 0 ACCEPT all -- eth4 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>> 720 60480 ACCEPT all -- eth1 eth4 0.0.0.0/0 0.0.0.0/0
>>> 247 12844 ACCEPT all -- eth2 eth4 0.0.0.0/0 0.0.0.0/0
>>>
>>> Chain OUTPUT (policy ACCEPT 143K packets, 8682K bytes)
>>> pkts bytes target prot opt in out source destination
>>>
>>>
>>> iptables -t nat -L -n -v
>>> Chain PREROUTING (policy ACCEPT 576K packets, 35M bytes)
>>> pkts bytes target prot opt in out source destination
>>>
>>> Chain INPUT (policy ACCEPT 1744 packets, 310K bytes)
>>> pkts bytes target prot opt in out source destination
>>>
>>> Chain OUTPUT (policy ACCEPT 44171 packets, 2325K bytes)
>>> pkts bytes target prot opt in out source destination
>>>
>>> Chain POSTROUTING (policy ACCEPT 616K packets, 37M bytes)
>>> pkts bytes target prot opt in out source destination
>>> 54 3843 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
>>> 690 56556 MASQUERADE all -- * eth4 0.0.0.0/0 0.0.0.0/0
>>>
>>>
>>> arp -an:
>>> ? (zzz.zzz.13.34) at <incomplete> on eth4
>>> ? (192.168.211.12) at <incomplete> on eth4
>>> ? (192.168.2.12) at 02:00:6b:17:00:01 [ether] on eth2
>>> ? (192.168.211.2) at <incomplete> on eth4
>>> ? (192.168.1.12) at 02:00:0b:60:00:01 [ether] on eth1
>>> ? (xxx.xxx.39.78) at 00:00:5e:00:01:37 [ether] on eth4
>>> ? (xxx.xxx.39.76) at 00:1d:b5:2f:19:9f [ether] on eth4
>>>
>>> tcpdump -v -n -i eth4 not port 22 | grep -v VRRP :
>>> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
>>> 20:17:05.232826 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>>> 20:17:05.925432 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>>> 20:17:06.204021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
>>> 20:17:06.825248 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
>>> 20:17:07.204218 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
>>>
>>>
>>> Rgds,
>>>
>>> Frank.
>>>
>>>
>>>
>>>
>>>> On 10 May 2016, at 17:45, Paul Wouters <paul at nohats.ca>
>>>> wrote:
>>>>
>>>> On Tue, 10 May 2016, Frank wrote:
>>>>
>>>>
>>>>> I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
>>>>> SA's seem up.
>>>>>
>>>>> I can't get traffic to the other side (host on 192.168.211.2 or .12):
>>>>>
>>>>> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
>>>>>
>>>>> ping 192.168.211.2
>>>>> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
>>>>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
>>>>>
>>>> Oddly this used your public ip as source, instead of the one you
>>>> specified with leftsourceip=192.168.1.2
>>>>
>>>> does ping -I 192.168.1.2 192.168.211.2 work?
>>>>
>>>>
>>>>> ip route:
>>>>> default via xxx.xxx.39.78 dev eth4
>>>>> 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
>>>>> 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2
>>>>> 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.2
>>>>> 192.168.211.0/24 dev eth4 scope link src 192.168.1.2
>>>>>
>>>> It's there, so why is ping using the wrong source ip?
>>>>
>>>> Paul
>>>>
>>> _______________________________________________
>>> Swan mailing list
>>>
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list