Strongswan problem (used to work for client NAT to the Internet, no longer does)

Karl Denninger karl at denninger.net
Sun Mar 23 05:01:27 UTC 2014 

On 3/22/2014 5:44 PM, Karl Denninger wrote:
> FreeBSD-STABLE 10 r263037M
>
> Configuration has outside IPSEC connections coming in to Strongswan 
> which should then be able to NAT back out to the Internet.  The 
> premise here is that "roaming" people may connect to this box and 
> obtain both access to "inside" resources and outside Internet access, 
> since the client points default at the IPSEC'd connection.
>
> This used to work on 9.1, but am uncertain whether it has since.
>
> It does NOT under 10.0.
>
> [root at Gateway /disk/karl]# ipsec status
> Security Associations (1 up, 0 connecting):
>         XX[3]: ESTABLISHED 5 minutes ago, x.x.x.x[C=US, ST=xx, O=xxx, 
> CN=the.dom.ain, E=xxxxx]...172.56.20.235[xxxxx]
>         BB10{3}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c90f5d36_i 
> 4160832e_o
>         BB10{3}:   0.0.0.0/0 === 192.168.2.1/32
> [root at Gateway /disk/karl]#
>
> Ok, so theoretically there's a default route from the device, which is 
> fine.  And the device (on 192.168.2.1, which was dynamically assigned 
> from a pool) can see anything internal on this external box (x.x.x.x)  
> I can successfully mount a samba share, for example, on a server that 
> is inside the firewall and I can also see the DNS resolver on the 
> gateway.
>
> However, let's now try to go out to an external location via an IP 
> address.  We'll watch it using TCPDUMP on em1, the interface that the 
> packets are going to be emitted from toward the Internet:
>
> [root at NewFS /disk/karl]# tcpdump -i em1 host 173.245.6.228
>
>
> 17:07:06.524487 IP 192.168.2.1.14927 > 173.245.6.228.http: Flags [S], 
> seq 150879940, win 65535, options [mss 1188,nop,wscale 
> 6,sackOK,nop,nop,nop,nop,TS val 778723856 ecr 0], length 0
> 17:07:19.741732 IP 192.168.2.1.16697 > 173.245.6.228.http: Flags [S], 
> seq 2513053141, win 65535, options [mss 1188,nop,wscale 
> 6,sackOK,nop,nop,nop,nop,TS val 778723883 ecr 0], length 0
> 17:07:20.797330 IP 192.168.2.1.16697 > 173.245.6.228.http: Flags [S], 
> seq 2513053141, win 65535, options [mss 1188,nop,wscale 
> 6,sackOK,nop,nop,nop,nop,TS val 778723884 ecr 0], length 0
> 17:07:22.706839 IP 192.168.2.1.16697 > 173.245.6.228.http: Flags [S], 
> seq 2513053141, win 65535, options [mss 1188,nop,wscale 
> 6,sackOK,nop,nop,nop,nop,TS val 778723888 ecr 0], length 0
>
> Ehhh...... that's no good.  natd never gets the packets and never 
> translates them; it sure looks like we're trying to blow a private IP 
> number out the wire despite:
>
> 01700 divert 8668 ip4 from any to any via em1
> 01710 divert 8668 ip4 from 192.168.2.0/24 to any via em1
>
> and ahead of that (to prevent exactly this sort of thing)
>
> 01120 deny log ip from any to 192.168.0.0/16 via em1 not ipsec
>
> Which by the way does NOT log anything.
>
>
> net.inet.ip.fw.one_pass: 0
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.default_rule: 65535
> net.inet.ip.fw.tables_max: 128
> net.inet.ip.fw.default_to_accept: 0
> net.inet.ip.fw.static_count: 108
> net.inet.ip.fw.enable: 1
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_count: 3
> net.inet.ip.fw.dyn_max: 4096
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_keepalive: 1
>
> one_pass is off.
>
> And there is nothing being blocked either; all the "deny" entries have 
> "log" on them and there's nothing showing up in the logfile (there's 
> plenty of random people trying to port scan me that ARE showing up, 
> however, so I know the log is working properly.)
>
> It *looks* like anything coming in through IPSEC and being decoded in 
> there never goes through the ipfw chain at all.....
>
This may be addressed by PR185876.... checking.

-- 
-- Karl
karl at denninger.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20140323/0dc0034c/attachment.bin>

More information about the freebsd-net mailing list