Hi,I found the reason for this problem. I had one zone which had the type "ipsec" for a Policy-based IPsec tunnel. It looks like if one zone has this type, all iptables forward rules (except the ones which are related to the zone (--pol ipsec)...) become "-m policy --dir out --pol none" added.
I have now removed this zone, the mentioned iptables options will not be added and the traffic flows.
Does anyone understand this behavior? Is this a unsupported combination? Thanks, Peter On 10/28/20 5:54 PM, Peter Hurtenbach via Shorewall-users wrote:
Strongswan Route Based IPSec - Forward Reject Hi,I am trying to implement a Route-based VPN with Strongswan and XFRM Interfaces. My problem is that the traffic coming / going to that XFRM Interface will be blocked with "FORWARD REJECT".Environment: Debian 10 Buster (4.19.0-12) Shorewall 5.2.3.2 (Debian Buster Repository)iproute2 5.8.0-1 (Debian Buster backports, at least 5.1.0 is required for XFRM, default repo contains 4.20.0)This is how the interface will be added: ip link add ipsec30 type xfrm if_id 30 dev eth2 sysctl -w net.ipv4.conf.ipsec30.disable_policy=1 ip link set ipsec30 up And set the required route(s): ip route add 10.17.0.0/16 dev ens30Shorewall config (only related to this VPN, other interfaces are directly connected to the firewall and ipv4):zones vpn30 ipv4 interfaces: vpn30 ipsec30 I see two different behaviors based on the zone type. In this example I try to connect to a host with SSH. Client: 10.17.214.6 Server: 10.0.5.8 If the type is "ipv4" I see the reject on the incoming connection:Oct 28 17:46:31 hostname kernel: [57864.415557] FORWARD REJECT IN=ipsec30 OUT=eth3 MAC= SRC=10.17.14.6 DST=10.0.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=52462 DF PROTO=TCP SPT=39218 DPT=22 WINDOW=64240 RES=0x00SYN URGP=0If the type is "ipsec" I see the reject on the answer of the server I try to connect to:Oct 28 17:46:50 hostname kernel: [57884.255061] FORWARD REJECT IN=eth3 OUT=ipsec30 MAC=6e:04:7e:ca:5f:5e:3e:2b:36:91:b4:f6:08:00 SRC=10.0.5.8 DST=10.17.14.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=22 DPT=39234 WINDOW=65160 RES=0x00 ACK SYN URGP=0I also have tried the option routeback on the interface. Can anyone help me with this behavior? Thanks in advance. Regards, Peter _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
OpenPGP_0xB453E8E4B3BC7A2A.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
