After a day of puzzling (what else to do on a stormy kind-of lazy day off...) and things are working the way I want it to.
The current config:
IP addresses are assigned from the DHCP server on the VPN/Internethost.
Ipsec.conf:
left=%any
leftsubnet=0.0.0.0/0,::/0
leftfirewall=yes
right=%any
rightsourceip=%dhcp
Relevant section in rc.firewall:
# IPSec connections
$IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -p ESP -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -p 51 -j ACCEPT
$IPTABLES -I INPUT -m policy --dir in --pol ipsec --proto esp -j
ACCEPT
$IPTABLES -I FORWARD -m policy --dir in --pol ipsec --proto esp -j
ACCEPT
$IPTABLES -I FORWARD -m policy --dir out --pol ipsec --proto esp -j
ACCEPT
$IPTABLES -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j
ACCEPT
Seems I was making it WAY to complicated...attached you'll find the complete
files.
Kind regards,
Willem-Jan Meijer
-----Oorspronkelijk bericht-----
Van: Willem-Jan Meijer [mailto:[email protected]]
Verzonden: maandag 30 november 2015 14:18
Aan: '[email protected]'
Onderwerp: IPTables rules for Strongswan gateway on Internet gateway
Hello all,
Currently i'm using PPTPD as VPN-server which is working fine, but I want to
migrate to Strongswan IPSec to improve security.
I'll try to describe the situation:
-Debian server acting as internet gateway (router) with services like
iptables apache, postfix, ftp and so on.
-eth0 is the WAN interface with an external IP-address proivded by
ISP, 92.108.xxx.xxx ($EXTIF, $EXTIP)
-eth1 is the LAN interface with a static IP-address 192.168.50.1
($INTIF, $INTIP)
Behind eth1 there's a home network with Windows 7 clients which have
IP-addresses assigned by DHCP in the range 192.168.50.100 - 192.168.50.150
Roadwarriors connect to the Debian server. For example. The road warrior
running Windows 7 dials up to "home" and gets an IP-address in the range
192.168.50.234-192.168.238.
When I do ifconfig from the terminal, I see PPTPD bringing up ppp+ tunnel
devices
For PPTPD, I created the following IPTable-rules:
# Accept all packets via ppp* interfaces (for example, ppp0) $IPTABLES -A
INPUT -i ppp+ -j ACCEPT $IPTABLES -A OUTPUT -o ppp+ -j ACCEPT
# Accept incoming connections to port 1723 (PPTP) $IPTABLES -A INPUT -p tcp
--dport 1723 -j ACCEPT
# Accept GRE packets
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT
# Enable IP forwarding
$IPTABLES -F FORWARD
$IPTABLES -A FORWARD -j ACCEPT
# Enable NAT for eth0 и ppp* interfaces
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE $IPTABLES -A
POSTROUTING -t nat -o ppp+ -j MASQUERADE
With this configuration, roadwarriors are able to communicate with the home
LAN and use shared folders like they are at home, my main purpose of setting
up VPN.
Now i'm setting up Strongswan to achieve the same: LAN-browsing.
I ended up with the next configuration file:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-
sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp
4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2
56-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-m
odp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,a
es256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384
-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,a
es256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha
1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp204
8,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-
sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-mo
dp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha
1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
[email protected]
leftfirewall=yes
right=%any
rightsourceip=10.10.10.0/24
rightsubnet=10.10.10.0/24
rightdns=192.192.168.50.1
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
In the IPTables script, I added the following lines:
# IPSec connections
$IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT $IPTABLES -A INPUT -p UDP
--dport 4500 -j ACCEPT $IPTABLES -A INPUT -p ESP -j ACCEPT $IPTABLES -A
INPUT -p 50 -j ACCEPT $IPTABLES -A INPUT -p 51 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -m policy --dir
out --pol ipsec -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24
-o $EXTIF -j MASQUERADE
But from here, I get stuck. The road warrior is able to bring up the
connection, however, even a ping from the debian server fails. I suppose the
problem is in my IPTables-script but i'm not an IPTables master. Can someone
point me in the right direction to create the iptables rules to be able to
browse my lan from the road warriors?
Attached you will find the full iptables script and ipsec.conf file
Kind regards,
Willem-Jan Meijer
ipsec.conf
Description: Binary data
rc.firewall
Description: Binary data
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
