Nathan Gregory
New Around Here
I think I dug in over my head, and am hoping some kind soul can throw me a lifeline.
Here's the config.
Server (A) runs RHEL 6.8 and StrongSwan 5.5.3, running IPsec VPN to various clients on the Internet. The clients inhabit the 10.200.x.x domain. The server inhabits the 192.168.0.x domain, safely behind a NAT.
This all runs beautifully. Then I decided to add a new service behind the NAT. Same 192.168.0.x domain, just a different address. In my initial naivete, I thought I could simply route between the 10.x domain and the 192.x domains with a few iptables entries and a route add. Oops. Not so simple. I have scoured the StrongSwan documentation and looked at countless examples to no avail. I have reached my level of incompetence. I once thought I understood this stuff, but ...
Here's some various outputs from the configuration: (102 is server (A), 1 is the router handling NAT and 10.200.2.1 & 2 are remote clients)
ip route list table 220
10.200.2.1 via 192.168.0.1 dev eth0 proto static src 192.168.0.102
10.200.2.2 via 192.168.0.1 dev eth0 proto static src 192.168.0.102
(I tried it with a route add to .209, the second server, but that didn't work. I also experimented with various FORWARD and routing statements in iptables. Time to admit I am beyond my ability and ask for help.)
ip xfrm policy
src 192.168.0.102/32 dst 10.200.2.1/32
dir out priority 367231 ptype main
tmpl src 192.168.0.102 dst 192.168.0.1
proto esp reqid 4 mode tunnel
src 10.200.2.1/32 dst 192.168.0.102/32
dir fwd priority 367231 ptype main
tmpl src 192.168.0.1 dst 192.168.0.102
proto esp reqid 4 mode tunnel
src 10.200.2.1/32 dst 192.168.0.102/32
dir in priority 367231 ptype main
tmpl src 192.168.0.1 dst 192.168.0.102
proto esp reqid 4 mode tunnel
src 192.168.0.102/32 dst 10.200.2.2/32
dir out priority 367231 ptype main
tmpl src 192.168.0.102 dst 70.195.207.208
proto esp reqid 2 mode tunnel
src 10.200.2.2/32 dst 192.168.0.102/32
dir fwd priority 367231 ptype main
tmpl src 70.195.207.208 dst 192.168.0.102
proto esp reqid 2 mode tunnel
src 10.200.2.2/32 dst 192.168.0.102/32
dir in priority 367231 ptype main
tmpl src 70.195.207.208 dst 192.168.0.102
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:domain
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:domain
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:domain
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:domain
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:xmpp-bosh
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:xmpp-server
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:xmpp-client
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:sip-tls
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:sip
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:sip-tls
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:sip
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:7722
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:7722
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:sip-tls
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:sip
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:sip-tls
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:sip
REJECT udp -- 192.168.0.0/24 anywhere udp dpt:7722 reject-with icmp-host-prohibited
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:7722
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpts:dnp:30000
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpts:dnp:30000
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpts:dnp:30000
REJECT udp -- 192.168.0.0/24 anywhere udp dpts:dnp:30000 reject-with icmp-host-prohibited
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT icmp -- anywhere anywhere icmp destination-unreachable reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp echo-reply reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp echo-request reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp parameter-problem reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp redirect reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp router-advertisement reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp router-solicitation reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp source-quench reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp time-exceeded reject-with icmp-host-prohibited
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ipsec-nat-t
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipsec-nat-t
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:re-mail-ck
ACCEPT udp -- anywhere anywhere state NEW udp dpt:re-mail-ck
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:isakmp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:isakmp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:vnc-server
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=yes
conn %default
keyexchange=ikev2
ike=aes256gcm128-prfsha384-ecp384,aes256gcm128-prfsha384-modp2048
esp=aes256gcm128-ecp384,aes256gcm128-modp2048
dpdaction=restart
dpddelay=10s
dpdtimeout=3600s
rekey=yes
left=%any
leftcert=serverCert.pem
leftsendcert=always
leftid=mynet.net
rightdns=192.168.0.102
rightsourceip=10.200.2.0/24
type=tunnel
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
leftauth=pubkey
rightauth=pubkey
rightauth2=eap-mschapv2
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
forceencaps=yes
authby=xauthrsasig
xauth=server
auto=add
dpdaction=hold
conn IOS8_IKEV2
leftauth=pubkey
rightauth=pubkey
rightauth2=eap-mschapv2
eap_identity=%any
auto=add
Input from a fresh set of eyes would be most appreciated.
Thanks,
Nathan
Here's the config.
Server (A) runs RHEL 6.8 and StrongSwan 5.5.3, running IPsec VPN to various clients on the Internet. The clients inhabit the 10.200.x.x domain. The server inhabits the 192.168.0.x domain, safely behind a NAT.
This all runs beautifully. Then I decided to add a new service behind the NAT. Same 192.168.0.x domain, just a different address. In my initial naivete, I thought I could simply route between the 10.x domain and the 192.x domains with a few iptables entries and a route add. Oops. Not so simple. I have scoured the StrongSwan documentation and looked at countless examples to no avail. I have reached my level of incompetence. I once thought I understood this stuff, but ...
Here's some various outputs from the configuration: (102 is server (A), 1 is the router handling NAT and 10.200.2.1 & 2 are remote clients)
ip route list table 220
10.200.2.1 via 192.168.0.1 dev eth0 proto static src 192.168.0.102
10.200.2.2 via 192.168.0.1 dev eth0 proto static src 192.168.0.102
(I tried it with a route add to .209, the second server, but that didn't work. I also experimented with various FORWARD and routing statements in iptables. Time to admit I am beyond my ability and ask for help.)
ip xfrm policy
src 192.168.0.102/32 dst 10.200.2.1/32
dir out priority 367231 ptype main
tmpl src 192.168.0.102 dst 192.168.0.1
proto esp reqid 4 mode tunnel
src 10.200.2.1/32 dst 192.168.0.102/32
dir fwd priority 367231 ptype main
tmpl src 192.168.0.1 dst 192.168.0.102
proto esp reqid 4 mode tunnel
src 10.200.2.1/32 dst 192.168.0.102/32
dir in priority 367231 ptype main
tmpl src 192.168.0.1 dst 192.168.0.102
proto esp reqid 4 mode tunnel
src 192.168.0.102/32 dst 10.200.2.2/32
dir out priority 367231 ptype main
tmpl src 192.168.0.102 dst 70.195.207.208
proto esp reqid 2 mode tunnel
src 10.200.2.2/32 dst 192.168.0.102/32
dir fwd priority 367231 ptype main
tmpl src 70.195.207.208 dst 192.168.0.102
proto esp reqid 2 mode tunnel
src 10.200.2.2/32 dst 192.168.0.102/32
dir in priority 367231 ptype main
tmpl src 70.195.207.208 dst 192.168.0.102
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:domain
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:domain
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:domain
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:domain
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:xmpp-bosh
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:xmpp-server
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:xmpp-client
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:sip-tls
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:sip
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:sip-tls
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:sip
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpt:7722
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpt:7722
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:sip-tls
ACCEPT udp -- 192.168.0.0/24 anywhere udp dpt:sip
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:sip-tls
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:sip
REJECT udp -- 192.168.0.0/24 anywhere udp dpt:7722 reject-with icmp-host-prohibited
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:7722
ACCEPT tcp -- 10.200.2.0/24 anywhere tcp dpts:dnp:30000
ACCEPT udp -- 10.200.2.0/24 anywhere udp dpts:dnp:30000
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpts:dnp:30000
REJECT udp -- 192.168.0.0/24 anywhere udp dpts:dnp:30000 reject-with icmp-host-prohibited
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT icmp -- anywhere anywhere icmp destination-unreachable reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp echo-reply reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp echo-request reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp parameter-problem reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp redirect reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp router-advertisement reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp router-solicitation reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp source-quench reject-with icmp-host-prohibited
REJECT icmp -- anywhere anywhere icmp time-exceeded reject-with icmp-host-prohibited
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ipsec-nat-t
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipsec-nat-t
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:re-mail-ck
ACCEPT udp -- anywhere anywhere state NEW udp dpt:re-mail-ck
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:isakmp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:isakmp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:vnc-server
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=yes
conn %default
keyexchange=ikev2
ike=aes256gcm128-prfsha384-ecp384,aes256gcm128-prfsha384-modp2048
esp=aes256gcm128-ecp384,aes256gcm128-modp2048
dpdaction=restart
dpddelay=10s
dpdtimeout=3600s
rekey=yes
left=%any
leftcert=serverCert.pem
leftsendcert=always
leftid=mynet.net
rightdns=192.168.0.102
rightsourceip=10.200.2.0/24
type=tunnel
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
leftauth=pubkey
rightauth=pubkey
rightauth2=eap-mschapv2
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
forceencaps=yes
authby=xauthrsasig
xauth=server
auto=add
dpdaction=hold
conn IOS8_IKEV2
leftauth=pubkey
rightauth=pubkey
rightauth2=eap-mschapv2
eap_identity=%any
auto=add
Input from a fresh set of eyes would be most appreciated.
Thanks,
Nathan
