Hello everybody,
I have a working policy-based VPN set up with Strongswan and I wanted to add multicast forwarding to it by means of the forecast plugin. The problem is that when I set mark=%unique
in ipsec.conf
multicast traffic gets correctly forwarded and I can access my LAN, but WAN connection is not working anymore (e.g. I cannot ping 8.8.8.8
from the VPN client).
It's the same problem as in this thread: https://wiki.strongswan.org/issues/3392 (I hope there's no problem with posting the link).
As I understand the issue is that after the traffic to the external network is SNATed (rather than masqueraded because I have a static IP), the reply comes in with my public IP address rather than the VPN address and the iptables rules installed by the forecast plugin do not work.
I have tried to set these rules:
iptables -t mangle -I FORWARD ! -d 10.10.10.0/24 -m policy --dir in --pol ipsec --proto esp -j CONNMARK --save-mark
iptables -t mangle -I PREROUTING -i vlan_ptm0 -j CONNMARK --restore-mark
as suggested in the link (accordingly modified to my configuration) but they don't seem to help.
ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=yes
charondebug="cfg 2, dmn 2, ike 2, net 2, knl 2"
conn "*** VPN"
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=no
leftfirewall=yes
mobike=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=dns:Server.***.VPN
leftsendcert=always
leftauth=pubkey
leftsubnet=0.0.0.0/0,::/0
right=%any
rightauth=eap-tls
eap_identity=%any
rightsourceip=10.10.10.0/24,****:****:****:****::/64
rightdns=192.168.1.254,fd69:beef:cafe:ca5a::1
rightsendcert=yes
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
mark=%unique
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option wan '0'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'route48'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list masq_src 'lan'
option mtu_fix '1'
option wan '1'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule 'Allow_DHCP_Renew_wan'
option name 'Allow-DHCP-Renew-wan'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule 'Allow_Ping_wan'
option name 'Allow-Ping-wan'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
option limit '1000/sec'
option family 'ipv4'
option target 'ACCEPT'
config rule 'Allow_ICMPv6_Input'
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule 'Allow_ICMPv6_Forward'
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config defaultrule 'defaultoutgoing'
option name 'Default action for outgoing NAT'
option src 'lan'
option dest 'wan'
option proto 'all'
option target 'ACCEPT'
config rule 'SSH_wan'
option src 'wan'
option name 'SSH_wan'
option target 'DROP'
option proto 'tcp'
option dest_port '22'
option family 'ipv4'
config rule
option name 'IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'IPSec-IKE'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'IPSec-NAT-T'
option src 'wan'
option dest_port '4500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'IPSec-Auth-Header'
option src 'wan'
option proto 'ah'
option target 'ACCEPT'
/etc/firewall.user
# Strongswan IPSec VPN
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
ip6tables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
ip6tables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
ip6tables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
ip6tables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -o vlan_ptm0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -o vlan_ptm0 -j SNAT --to ***ROUTER_WAN_IP***
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
# Fix me for multicast over VPN
# iptables -t mangle -I FORWARD ! -d 10.10.10.0/24 -m policy --dir in --pol ipsec --proto esp -j CONNMARK --save-mark
# iptables -t mangle -I PREROUTING -i vlan_ptm0 -j CONNMARK --restore-mark
iptables -t mangle --list (VPN client connected)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere 10.10.10.1 MARK set 0x1
MARK udp -- ***CLIENT_WAN_IP*** ***ROUTER_WAN_IP*** udp spt:63591 dpt:4500 MARK set 0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN /* !fw3: lan (mtu_fix) */ TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN /* !fw3: wan (mtu_fix) */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere 10.10.10.1 MARK set 0x1
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Does anybody have any idea?