Masquerading strongswan ipsec ikev2 RAS clients

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug="ike 4, knl 4, cfg 4"

conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret



conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add


Has someone an idea how to handle that?







share|improve this question



















  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35














up vote
0
down vote

favorite












I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug="ike 4, knl 4, cfg 4"

conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret



conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add


Has someone an idea how to handle that?







share|improve this question



















  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug="ike 4, knl 4, cfg 4"

conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret



conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add


Has someone an idea how to handle that?







share|improve this question











I've a VPS in sweden and I want to establish an IKEv2 RAS connection.
The connection is established and a valid SA was created.



Now I want to masquerade the traffic for 0.0.0.0/0 through the wan interface.
I've tried it (as usual) with



# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE


but it seems that the traffic is not really masqueraded, because the packets never reach the destination.



Output of tcpdump:



# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64


I think the thing is the type of interface...
I am caught in an OpenVZ VM and there is no default route:



# ip route show
default dev venet0 scope link


Output of ipsec statusall



# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test1: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test1: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test1: 0.0.0.0/0 === 10.9.0.110/32


This is my ipsec.conf



# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug="ike 4, knl 4, cfg 4"

conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret



conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add


Has someone an idea how to handle that?









share|improve this question










share|improve this question




share|improve this question









asked Apr 28 at 20:35









papayawhip

11




11











  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35
















  • Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
    – ecdsa
    Apr 30 at 8:40










  • Is enabled, icmp works
    – papayawhip
    Apr 30 at 10:35















Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
– ecdsa
Apr 30 at 8:40




Looks OK. IP forwarding is enabled? ICMP isn't blocked somewhere else? (i.e. you can actually ping 8.8.4.4 when doing so directly on the server from XXX.XXX.XXX.XXX?)
– ecdsa
Apr 30 at 8:40












Is enabled, icmp works
– papayawhip
Apr 30 at 10:35




Is enabled, icmp works
– papayawhip
Apr 30 at 10:35















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440647%2fmasquerading-strongswan-ipsec-ikev2-ras-clients%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440647%2fmasquerading-strongswan-ipsec-ikev2-ras-clients%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?