Hi >From my own understanding (i maybe wrong) of your configs applied...i believe there is a "missing" permit rule for ESP in the INPUT chain of your iptables/firewall rules
Try with adding to running config as below, above the drop rule iptables -I INPUT 1 -p esp -i <ens01> -j ACCEPT and no harm in adding a similar rule in OUTPUT chain too iptables -I OUTPUT 1 -p esp -i <ens01> -j ACCEPT --------------------------------------------------------------------------- or a more complete rule-set would be as below (to be applied on both ipsec-gateways) iptables -I INPUT 1 -i <Internet> -p esp -j ACCEPT iptables -I INPUT 2 -i <Internet> -p udp -m udp --dport 500 -j ACCEPT iptables -I INPUT 3 -i <Internet> -p udp -m udp --dport 4500 -j ACCEPT iptables -I INPUT 4 -p tcp -m multiport --dports 22 -j f2b-sshd iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT iptables -I INPUT 6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i LAN -j ACCEPT iptables -A INPUT -j DROP iptables -I OUTPUT 1 -p esp -j ACCEPT iptables -I OUTPUT 2 -p udp -m udp --dport 500 -j ACCEPT iptables -I OUTPUT 3 -p udp -m udp --dport 4500 -j ACCEPT iptables -I OUTPUT 4 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Note: "Internet" interface mentioned is to be replaced with your actual wan/internet/public interface of the gateway ----------------------------------------------------------------------------- regards On Tue, Feb 1, 2022 at 6:54 PM VTwin Farriers <[email protected]> wrote: > > Good morning Noel, > > Attached below are the various configurations you requested. At this point > my config is pretty basic as I attempt to get this working. > > The IP addresses of my Work and Home Routers are 192.168.126.254 and > 192.168.127.254 respectively. Upon establishing a connection I cannot ping > or ssh to either router from the other subnet. > > If there's anything else I can provide to aid in diagnosing how I've set > this up wrong let me know and I'll try to get it quickly. > > Thank you for the assistance, > > Mike > > > ---------------------------------------------------------------------- > > WorkRouter & HomeRouter /etc/sysctl.conf: > > net.ipv4.ip_forward = 1 > net.ipv6.conf.all.forwarding = 0 > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.default.disable_ipv6 = 1 > net.conf.lo.disable_ipv6 = 1 > net.netfilter.nf_conntrack_helper = 1 > > ---------------------------------------------------------------------- > > WorkRouter iptables pre-connection: > > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022 > *filter > :INPUT ACCEPT [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > :f2b-sshd - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i LAN -j ACCEPT > -A INPUT -j DROP > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i lo -j ACCEPT > -A FORWARD -i LAN -j ACCEPT > -A FORWARD -j DROP > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -o LAN -j ACCEPT > -A OUTPUT -o Internet -j ACCEPT > -A f2b-sshd -j RETURN > COMMIT > # Completed on Tue Feb 1 07:34:10 2022 > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022 > *nat > :PREROUTING ACCEPT [30:3004] > :INPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [1:88] > -A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol > ipsec -j ACCEPT > -A POSTROUTING -o Internet -j MASQUERADE > COMMIT > # Completed on Tue Feb 1 07:34:10 2022 > > ---------------------------------------------------------------------- > > WorkRouter post-connection: > > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022 > *filter > :INPUT ACCEPT [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > :LOGGING - [0:0] > :f2b-sshd - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i LAN -j ACCEPT > -A INPUT -j DROP > -A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -i Internet -m policy > --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -o Internet -m policy > --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i lo -j ACCEPT > -A FORWARD -i LAN -j ACCEPT > -A FORWARD -j DROP > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -o LAN -j ACCEPT > -A OUTPUT -o wlp3s0 -j ACCEPT > -A OUTPUT -o Internet -j ACCEPT > -A f2b-sshd -j RETURN > COMMIT > # Completed on Tue Feb 1 07:49:29 2022 > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022 > *nat > :PREROUTING ACCEPT [1431:142370] > :INPUT ACCEPT [1:364] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [16:1124] > -A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol > ipsec -j ACCEPT > -A POSTROUTING -o Internet -j MASQUERADE > COMMIT > # Completed on Tue Feb 1 07:49:29 2022 > > ---------------------------------------------------------------------- > > HomeRouter iptables pre-connection: > > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022 > *filter > :INPUT ACCEPT [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [7573850:808120940] > :f2b-sshd - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i LAN -j ACCEPT > -A INPUT -j DROP > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i lo -j ACCEPT > -A FORWARD -i LAN -j ACCEPT > -A FORWARD -j DROP > -A f2b-sshd -j RETURN > COMMIT > # Completed on Tue Feb 1 07:36:55 2022 > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022 > *nat > :PREROUTING ACCEPT [201662:20100360] > :INPUT ACCEPT [130094:8522561] > :POSTROUTING ACCEPT [347066:26292253] > :OUTPUT ACCEPT [395652:30979041] > -A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol > ipsec -j ACCEPT > -A POSTROUTING -o Internet -j MASQUERADE > COMMIT > # Completed on Tue Feb 1 07:36:55 2022 > > ---------------------------------------------------------------------- > > HomeRouter iptables post-connection: > > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022 > *filter > :INPUT ACCEPT [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [7775544:830642656] > :f2b-sshd - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i LAN -j ACCEPT > -A INPUT -j DROP > -A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -i Internet -m policy > --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -o Internet -m policy > --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i lo -j ACCEPT > -A FORWARD -i LAN -j ACCEPT > -A FORWARD -j DROP > -A f2b-sshd -j RETURN > COMMIT > # Completed on Tue Feb 1 07:47:36 2022 > # Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022 > *nat > :PREROUTING ACCEPT [205511:20493848] > :INPUT ACCEPT [132803:8703437] > :POSTROUTING ACCEPT [353122:26767112] > :OUTPUT ACCEPT [402834:31555865] > -A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol > ipsec -j ACCEPT > -A POSTROUTING -o Internet -j MASQUERADE > COMMIT > # Completed on Tue Feb 1 07:47:36 2022 > > ---------------------------------------------------------------------- > > WorkRouter swanctl.conf: > > connections { > homenet { > version=2 > mobike=no > fragmentation=yes > local_addrs=Work.Public.IP.Address > remote_addrs=Home.Public.IP.Address > proposals=aes256-sha1-modp1024 > local { > auth = psk > } > remote { > auth = psk > } > children { > homenet { > esp_proposals=aes256-sha1 > remote_ts=192.168.127.0/24 > local_ts=192.168.126.0/24 > updown=/usr/libexec/strongswan/_updown iptables > } > } > } > } > > HomeRouter swanctl.conf: > > worknet { > version=2 > mobike=no > fragmentation=yes > local_addrs=Home.Public.IP.Address > remote_addrs=Work.Public.IP.Address > proposals=aes256-sha1-modp1024 > local { > auth = psk > } > remote { > auth = psk > } > children { > worknet { > esp_proposals=aes256-sha1 > local_ts=192.168.127.0/24 > remote_ts=192.168.126.0/24 > updown=/usr/libexec/strongswan/_updown iptables > } > } > } > > > Connection from HomeRouter to WorkRouter: > > swanctl --initiate --ike worknet --child worknet > [IKE] initiating IKE_SA worknet[5] to Work.Public.IP.Address > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > [NET] sending packet: from Home.Public.IP.Address[500] to > Work.Public.IP.Address[500] (336 bytes) > [NET] received packet: from Work.Public.IP.Address[500] to > Home.Public.IP.Address[500] (344 bytes) > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] > [CFG] selected proposal: > IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > [CFG] no IDi configured, fall back on IP address > [IKE] authentication of 'Home.Public.IP.Address' (myself) with pre-shared > key > [IKE] establishing CHILD_SA worknet{1} > [ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) > N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > [NET] sending packet: from Home.Public.IP.Address[500] to > Work.Public.IP.Address[500] (220 bytes) > [NET] received packet: from Work.Public.IP.Address[500] to > Home.Public.IP.Address[500] (204 bytes) > [ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] > [IKE] authentication of 'Work.Public.IP.Address' with pre-shared key > successful > [IKE] IKE_SA worknet[5] established between > Home.Public.IP.Address[Home.Public.IP.Address]...Work.Public.IP.Address[Work.Public.IP.Address] > [IKE] scheduling rekeying in 14047s > [IKE] maximum IKE_SA lifetime 15487s > [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ > [IKE] CHILD_SA worknet{1} established with SPIs ca677689_i c43a2311_o and > TS 192.168.127.0/24 === 192.168.126.0/24 > initiate completed successfully >
