-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Tormod,
Okay. But still only one CHILD_SA is up and the other one not.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.04.2015 um 13:35 schrieb Tormod Macleod:
> Hi Noel,
>
> I need the SNAT as the network on the right want to see the traffic originate
> from the 1.1.1.0/24 range for internal routing purposes.
>
> I thought (Bryan Duff set me straight) I needed two Child SAs. Because the
> right device is a Cisco device I had to configure two separate Child SAs
> rather than do rightsubnet=c,d. It seems the Cisco ASA wants to do it that
> way and it was causing me problems. Martin Willi previously helped me with
> this (see attached).
>
> Cheers,
>
>
> Tormod
>
> >>> Noel Kuntze <n...@familie-kuntze.de> 06/04/2015 18:01 >>>
>
> Hello Tormod,
>
> There is a graph[1] that describes the path of the traffic in the kernel.
>
> Why do you believe, that you have to apply SNAT/MASQUERADE?
> By the way, your tunnel setup is wrong.
> You define two IPsec tunnels, but there is only one being used:
>
> >SecurityAssociation-2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb5e661f_i
> >9add0a95_o
> >SecurityAssociation-2{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> >rekeying in 48 minutes
> >SecurityAssociation-2{2}: 1.1.1.0/24 === 192.168.0.0/16
>
> You should look for the reason that causes CHILD_SA of
> "SecurityAssociation-1" to not come up.
> Also, with IKEv2, you can combine the subnets of all SAs into one.
>
> So you can build something like this:
>
> leftsubnet=a,b
> rightsubnet=c,d
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 06.04.2015 um 16:36 schrieb Tormod Macleod:
> > Hello,
>
> > I'm currently testing a site to site VPN. I need to change both the source
> > and destination address on the left device before forwarding the packets
> > over the VPN to the right device. I believe it all happens in the order
> > below but I may be wrong.
>
> > 1 IPTables Prerouting
> > 2 Route selected
> > 3 A determination is made on whether the packets should be encapsulated
> > with IPSec
> > 4 IPTables Postrouting
> > 5 Packets are encapsultaed with IPSec where applicable
> > 6 Packets are forwarded
>
> > I believe I have a solution but I'm not sure whether it's the best and I'd
> > welcome some ideas...
>
> > In order to have the traffic encapsulated I had to create two child SAs on
> > the left side. The first has the original source address and the translated
> > destination address. This is only used in step 3. In step 4 the destination
> > address is translated and by the time it gets to step 5 the traffic source
> > and destination addresses match that of the second child SA which also
> > matches the single child SA on the right side.
>
> > I'm concerned that I might run into some problems with this approach that I
> > have not yet foreseen.
>
> > Here's my config...
>
> > config setup
> > # strictcrlpolicy=yes
> > # uniqueids=no
>
> > conn %default
> > ikelifetime=1440m
> > keylife=60m
> > margintime=3m
> > keyingtries=5
> > keyexchange=ikev2
> > authby=secret
> > left=10.180.0.12
> > leftid=2.2.2.2
> > auto=start
> > ike=aes128-md5-modp1536
> > esp=aes128-sha1
> > reauth=no
> > dpdaction=hold
> > dpddelay=40
>
> > conn SecurityAssociation-1
> > leftsubnet=10.176.0.0/13
> > right=3.3.3.3
> > rightsubnet=192.168.0.0/16
> > rightid=3.3.3.3
>
> > conn SecurityAssociation-2
> > leftsubnet=1.1.1.0/24
> > right=3.3.3.3
> > rightsubnet=192.168.0.0/16
> > rightid=3.3.3.3
>
>
> > Here's the statusall...
>
> > [root@localhost ~]# /opt/strongswan522/sbin/ipsec statusall
> > Status of IKE charon daemon (strongSwan 5.2.2, Linux
> > 2.6.32-504.12.2.el6.x86_64, x86_64):
> > uptime: 3 days, since Apr 03 14:47:09 2015
> > malloc: sbrk 270336, mmap 0, used 210768, free 59568
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> > scheduled: 4
> > loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
> > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> > pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
> > stroke updown xauth-generic unity
> > Listening IP addresses:
> > 10.180.0.12
> > Connections:
> > SecurityAssociation-1: 10.180.0.12...3.3.3.3 IKEv2, dpddelay=40s
> > SecurityAssociation-1: local: [2.2.2.2] uses pre-shared key
> > authentication
> > SecurityAssociation-1: remote: [3.3.3.3] uses pre-shared key
> > authentication
> > SecurityAssociation-1: child: 10.176.0.0/13 === 192.168.0.0/16 TUNNEL,
> > dpdaction=hold
> > SecurityAssociation-2: child: 1.1.1.0/24 === 192.168.0.0/16 TUNNEL,
> > dpdaction=hold
> > Security Associations (1 up, 0 connecting):
> > SecurityAssociation-1[4]: ESTABLISHED 41 minutes ago,
> > 10.180.0.12[2.2.2.2]...3.3.3.3[3.3.3.3]
> > SecurityAssociation-1[4]: IKEv2 SPIs: 75498cd903d39dfa_i*
> > 9dca56ab7071039a_r, rekeying in 23 hours
> > SecurityAssociation-1[4]: IKE proposal:
> > AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
> > SecurityAssociation-2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb5e661f_i
> > 9add0a95_o
> > SecurityAssociation-2{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> > rekeying in 48 minutes
> > SecurityAssociation-2{2}: 1.1.1.0/24 === 192.168.0.0/16
> > And here's the IPTABLES commands I used to send traffic both ways...
>
> > iptables -t nat -A PREROUTING -p tcp -s 10.176.0.10/32 -d 10.180.0.12/32
> > --dport 61001 -j DNAT --to-destination 192.168.1.1:23
> > iptables -t nat -A POSTROUTING -s 10.176.0.10/32 -d 192.168.1.1/32 -j
> > SNAT --to-source 1.1.1.2
> > iptables -t nat -A PREROUTING -p tcp -s 192.168.1.1/32 -d 1.1.1.3/32
> > --dport 61002 -j DNAT --to-destination 10.176.0.10:23
> > iptables -t nat -A POSTROUTING -s 192.168.1.1/32 -d 10.176.0.10/32 -j
> > SNAT --to-source 10.180.0.12
> > It's a bit convoluted but it works. I'd love to know if someone has a
> > better idea.
>
> > Cheers,
>
>
> > Tormod
>
> > Please consider the environment before printing this email
> > *********************************************************************
>
> > This e-mail and any attachments are confidential. If it is not for you,
> > please inform us and delete it immediately without disclosing, copying, or
> > distributing it.
>
> > If the content is not about the business of PayWizard Group PLC or its
> > clients, then it is neither from nor sanctioned by PayWizard Group PLC.
> > Use of this or any other PayWizard Group PLC e-mail facility signifies
> > consent to interception by PayWizard Group PLC. The views expressed in
> > this email or any attachments may not reflect the views and opinions of
> > PayWizard Group PLC.
>
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, but PayWizard Group PLC accepts no liability for any damage
> > caused by the transmission of any viruses.
>
> > PayWizard Group PLC is a public limited company registered in Scotland
> > (SC175703) with its registered office at Cluny Court, John Smith Business
> > Park, Kirkcaldy, Fife, KY2 6QJ.
>
> > ********************************************************************
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> > believed to be clean.
>
>
> > _______________________________________________
> > Users mailing list
> > Users@lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> Please consider the environment before printing this email
> *********************************************************************
>
> This e-mail and any attachments are confidential. If it is not for you,
> please inform us and delete it immediately without disclosing, copying, or
> distributing it.
>
> If the content is not about the business of PayWizard Group PLC or its
> clients, then it is neither from nor sanctioned by PayWizard Group PLC. Use
> of this or any other PayWizard Group PLC e-mail facility signifies consent to
> interception by PayWizard Group PLC. The views expressed in this email or
> any attachments may not reflect the views and opinions of PayWizard Group PLC.
>
> This message has been scanned for viruses and dangerous content by
> MailScanner, but PayWizard Group PLC accepts no liability for any damage
> caused by the transmission of any viruses.
>
> PayWizard Group PLC is a public limited company registered in Scotland
> (SC175703) with its registered office at Cluny Court, John Smith Business
> Park, Kirkcaldy, Fife, KY2 6QJ.
>
> ********************************************************************
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVI8F9AAoJEDg5KY9j7GZYEXIP/28fjNsVPRmfZ8pRGR2T4l+u
ke9GzLTIThVP7ev0Syra9mt92IBFhMf115JTjQptQf6QeuXKgNTT0p+nsWyXDdXv
qMYxtmszEd6gLt8u/zactbHMhEk5RWGqpt0gv8XP/ojtzn35l92R0l3VP5EYVSg6
fVUgA4F39d1vT1Qj4RnoRaW3j39m2hD+o5oig4erJfHMITRJlXflBvmiqHneQYP5
OpksYEHco2o4b5bFVLJgC9wzXHhG+DOZxRguVtcbtTLwWdYtsNgYi5281oH7cdqA
fMzJKOnTZk3PbHO5wIsZMnhuvE2FCkY5KchZaFMPr43OFqvBV25rKkT1S9G4x3Qb
5e9G1CYAT/CH2VWmscmhtDECZtsMBvKg3vvGEAZModFwVOwDyhfRjtlnd7K4vJvt
sCxwnMmByKtalDgwqzXwmhirl1Lw/0kF456P2WEH5airHaFXD9/WSM3GUeByr921
u5kzuvYwjASFDujexiGgJlsTfi2vVI3OQscxPYvfZdZKw2fzt22aaZu86BaoqMu6
OMvfE1VF8SqDkkpiyn8E4emEFhiKFFyIq3fPjbA14JYy4YyduLQN3F2kXrbwN8fa
fdQ1ayC+djcm8vTwQCJ56RQaS4Q3BSOAOHonT1e3HCgNUIorzxILSSrihUpbxPfl
7PZpELg8IqPRd+E6K/p5
=n4Hn
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
