0

I have set up strongswan for IPsec connection (remote Win10 to my Linux router). IPsec does not have interface by default but I don't want to risk exposing VPN traffic on my WAN interface. So I setup VTI interface with mark (https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Configuration) and I see traffic going through this virtual interface and not WAN. But there is still some traffic going through WAN interface. tcpdump on WAN (10.1.0.2 is Win10 client):

IP 10.1.0.2.137 > 255.255.255.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
IP 10.1.0.2.137 > 255.255.255.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
IP 10.1.0.2.137 > 255.255.255.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
IP 10.1.0.2.54995 > 239.255.255.250.3702: UDP, length 1072
IP 10.1.0.2.53313 > 239.255.255.250.1900: UDP, length 137
IP 10.1.0.2.54995 > 239.255.255.250.3702: UDP, length 1072

Private LAN sending packets to ISP interface is really bad. This packets nor marked nor have ipsec policy applied (iptables -A INPUT/OUTPUT/FORWARD -m policy --dir in/out --pol ipsec -j LOG-DROP-IPSEC does not see it). Filtering by source

iptables -t mangle -A POSTROUTING -s 10.1.0.2 -j LOG-DROP-IPSEC

cause no effect.

This packets seems actually go to WAN network: journalctl -k

...
... host *.*.*.*/if2 ignores redirects for 10.1.0.2 to 10.1.0.2
...

Where is this packets injected so that mangle POSTROUTING missing it and how to block them?

Network diagram

avi9526
  • 141
  • 7
  • Can you add a network diagram and the complete configuration of iptables and strongswan? The traffic shown is broadcast and multicast that should not cross a router. – Mathias Weidner Feb 28 '21 at 14:49
  • can't post iptables(, its work stuff My router does not let broadcast packets from LAN to WAN. This packets does not cross router, they are created on WAN interface by strongswan. And I don't understand why – avi9526 Feb 28 '21 at 15:03
  • I doubt that strongswan creates that kind of packets. Given the incomplete information above, I don't even understand the problem, so any idea would be moot. – Mathias Weidner Mar 01 '21 at 12:56
  • I have added diagram to explain my problem with more details – avi9526 Mar 04 '21 at 20:36
  • I don't see where the address 10.1.0.2 is in the diagram. – Mathias Weidner Mar 05 '21 at 09:49
  • my bad, fixed IP on diagram – avi9526 Mar 05 '21 at 22:18
  • I still doubt that strongswan created the packets. From your description the configuration seems to be not OK, but since you can't provide the complete configuration, I don't know how to help you further. Do you really need a route-based VPN at that point? – Mathias Weidner Mar 06 '21 at 19:48
  • unfortunately I am limited with my knowledge and time to learn something new. I don't know policy based VPN and attempt to set it up result in remote VPN client requesting IP by DHCP from my provider which is unwanted behavior. But I have good iptables firewall rules that is working well based on interface names. So having interface for VPN is preffered. Currently working with OpenVPN. But question about strongSwan remains. – avi9526 Mar 07 '21 at 00:14

0 Answers0