Masquerading strongswan ipsec ikev2 RAS clients
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.
Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE
but it seems that the traffic is not really masqueraded, because the packets never reach the destination.
Output of tcpdump:
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:
# ip route show
default dev venet0 scope link
Output of ipsec statusall
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32
This is my ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret
conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add
Has someone an idea how to handle that?
networking routing ipsec strongswan
add a comment |Â
up vote
0
down vote
favorite
I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.
Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE
but it seems that the traffic is not really masqueraded, because the packets never reach the destination.
Output of tcpdump:
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:
# ip route show
default dev venet0 scope link
Output of ipsec statusall
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32
This is my ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret
conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add
Has someone an idea how to handle that?
networking routing ipsec strongswan
Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
â ecdsa
Apr 30 at 8:40
Is enabled, icmp works
â papayawhip
Apr 30 at 10:35
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.
Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE
but it seems that the traffic is not really masqueraded, because the packets never reach the destination.
Output of tcpdump:
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:
# ip route show
default dev venet0 scope link
Output of ipsec statusall
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32
This is my ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret
conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add
Has someone an idea how to handle that?
networking routing ipsec strongswan
I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.
Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE
but it seems that the traffic is not really masqueraded, because the packets never reach the destination.
Output of tcpdump:
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:
# ip route show
default dev venet0 scope link
Output of ipsec statusall
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32
This is my ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret
conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add
Has someone an idea how to handle that?
networking routing ipsec strongswan
asked Apr 28 at 20:35
papayawhip
11
11
Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
â ecdsa
Apr 30 at 8:40
Is enabled, icmp works
â papayawhip
Apr 30 at 10:35
add a comment |Â
Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
â ecdsa
Apr 30 at 8:40
Is enabled, icmp works
â papayawhip
Apr 30 at 10:35
Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
â ecdsa
Apr 30 at 8:40
Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
â ecdsa
Apr 30 at 8:40
Is enabled, icmp works
â papayawhip
Apr 30 at 10:35
Is enabled, icmp works
â papayawhip
Apr 30 at 10:35
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440647%2fmasquerading-strongswan-ipsec-ikev2-ras-clients%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
â ecdsa
Apr 30 at 8:40
Is enabled, icmp works
â papayawhip
Apr 30 at 10:35