LEDE 17.01.1, StrongSwan 5.6.0 swanctl NAT

Question

I have a running strongswan tunnel between 2 gateways like this example.

moon can ping sun and vice versa.

But alice can not ping bob.

/etc/firewall.user

/usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

/usr/sbin/iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

I have no idea what to do.

Edit 1

I am not an iptables expert and the rules of lede/openwrt are confusing. There are many aliasing rules. The esp rules seems to be good otherwise the tunnel could not be established right?

    Client A                                                          Client B
///////////////////   Gateway A                 Gateway B         /////////////////
/                 /   *****************         ***************   /               /
/ 192.168.100.110 /   * 192.168.100.1 *   <=>   * 192.168.1.1 *   / 192.168.1.200 /
/                 /   *****************         ***************   /               /
///////////////////                                               /////////////////

Client A

https://pastebin.com/qVS9Nquk

root@LEDE:~# ip route list table 220
192.168.1.0/24 dev ipsec0  proto static  src 192.168.100.1

Client B

https://pastebin.com/bkaG7s7k

root@Lede:~# ip route list table 220
192.168.100.0/24 dev ipsec0  proto static  src 192.168.1.1

Edit 2

I had a look to my rules. And the first hint allow esp before processing (input/output) is done with

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             policy match dir in pol ipsec proto esp

and

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             policy match dir out pol ipsec proto esp

right? So INPUT and OUTPUT handles esp packages first and ACCEPT.

Now you say my FORWARD rules are always false because dir in/out are ACCEPTED?

I don't know if I need strongswan-mod-kernel-libipsec. As I have read libipsec should not be used. But NOT loading this plugin causes the tunnel to fail during establish.

Edit 3

iptables-save -c

    root@LEDE:~# iptables-save -c
# Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017
*nat
:PREROUTING ACCEPT [6248:527283]
:INPUT ACCEPT [3903:355245]
:OUTPUT ACCEPT [1157:92992]
:POSTROUTING ACCEPT [78:6018]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[6248:527283] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
[5072:419263] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1176:108020] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[0:0] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
[3424:245233] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
[2:674] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[3346:239215] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[2:674] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j SNAT --to-source 192.168.100.1
[0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.110/32 -p tcp -m tcp --dport 4000 -m comment --comment "!fw3: Misc (reflection)" -j SNAT --to-source 192.168.100.1
[0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.110/32 -p udp -m udp --dport 4000 -m comment --comment "!fw3: Misc (reflection)" -j SNAT --to-source 192.168.100.1
[5072:419263] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH (reflection)" -j DNAT --to-destination 192.168.100.1:22
[0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc (reflection)" -j DNAT --to-destination 192.168.100.110:4000
[0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc (reflection)" -j DNAT --to-destination 192.168.100.110:4000
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[3346:239215] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
[3346:239215] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1176:108020] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH" -j DNAT --to-destination 192.168.100.1:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc" -j DNAT --to-destination 192.168.100.110:4000
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc" -j DNAT --to-destination 192.168.100.110:4000
COMMIT
# Completed on Sun Oct 29 07:02:41 2017
# Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017
*mangle
:PREROUTING ACCEPT [83933:59010388]
:INPUT ACCEPT [12107:2416154]
:FORWARD ACCEPT [71817:56593482]
:OUTPUT ACCEPT [8645:669977]
:POSTROUTING ACCEPT [80462:57263459]
[936:56056] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Oct 29 07:02:41 2017
# Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[304:24349] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[11807:2392013] -A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
[1671:638675] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[955:38932] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[7953:1389086] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2183:364252] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[71817:56593482] -A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
[69392:56423832] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2425:169650] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[304:24349] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[8345:646508] -A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
[7236:557447] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:1007] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1106:88054] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[1246:50770] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[109:21160] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[955:38932] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[3:1007] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[2425:169650] -A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
[2425:169650] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7953:1389086] -A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[7953:1389086] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[3:1007] -A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
[3:1007] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7953:1389086] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_REJECT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[3531:257704] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2183:364252] -A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
[820:292000] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[7:230] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc" -j ACCEPT
[0:0] -A zone_wan_input -p esp -m comment --comment "!fw3: @rule[11]" -j ACCEPT
[1:92] -A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: @rule[13]" -j ACCEPT
[0:0] -A zone_wan_input -p ah -m comment --comment "!fw3: @rule[14]" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1355:71930] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1106:88054] -A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
[1106:88054] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1355:71930] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Oct 29 07:02:41 2017

Edit 4

So all rules are ok so far.

Problem was the kernel-libipsec plugin which was loaded. In this case the userland ipsec implementation is used (not the kernel's itself) and the kernel routing table is not used.

Disabling this module and installing kmod-crypto-gcm for kernel crypt support solved everything.

you need to (simply) allow esp before processing (input/output), and (simply) allow ipsec marked packets once processed (forward). You're asking to have both before and after, each time it's an always false condition. Now for nat , you should edit your question first and put the usual needed informations (ip route show, ip addr show, iptables-save ...) unless it's exactly as written in the strongswan example. NAT rules shouldn't have to know about IPSec at all, as long as there's no NAT between the two gateways. Actually the strongswan example has the whole iptables rules given. Just use them — A.B, Oct 28 '17 at 10:29
I know you had to add a lot, there's still more. 1st you musn't use ipsec rules in nat (remove it). Don't use --pol ipsec when the traffic isn't decrypted: esp packets are encrypted. Likewise: don't use `--proto esp` when the traffic has been decrypted: once decrypted the new (internal) packet has no esp anymore but a handy ipsec tag. I don't get why the strongswan example has both, it's just misleading. That would be to allow an ipsec tunnel not made on the gateways. Look for example at this explaination there: https://twobit.us/2010/11/managing-ipsec-packet-with-iptables/ — A.B, Oct 29 '17 at 10:42

LEDE 17.01.1, StrongSwan 5.6.0 swanctl NAT

Edit 1

Edit 2

Edit 3

Edit 4

0 Answers0