Masquerading clients while trying to send traffic over ipsec tunnel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greetings -

I have a rapsberrypi running OpenIKED whose clients I'm both trying to 
masquerade, as well as allow traffic to flow across the ipsec tunnel for
access to resources behind that tunnel. The raspi has two interfaces,
wlan0 (WAN interface with a dynamic address) and eth0 for it's clients.

When iked is running without masquerading, I can establish TCP sessions with
remote devices on the far side of the tunnel but clients behind the rpi
device obviously can't get anywhere else. When enabling masquerading with
`iptables -A POSTROUTING -o wlan0 -j MASQUERADE', all traffic from LAN
clients work over wlan0, but the ipsec traffic drops (logs below).

Traffic originating from the far end of the tunnel (10.88.0.0/22) to
eth0 on the raspi (10.88.12.1) works both with, and without, masquerading 
enabled.

My question is: at what stage do I need an entry to send traffic from
both the raspi device, and it's clients, over the tunnel?

Many thanks in advance for any assistance.


iptables output of existing policies
------------------------------------

raspi# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Oct 24 17:56:29 2023
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.88.12.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 203.0.113.92/32 -i wlan0 -p esp -j ACCEPT
-A INPUT -s 203.0.113.92/32 -i wlan0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -s 203.0.113.92/32 -i wlan0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID Input: "
-A INPUT -m state --state INVALID -j DROP
-A INPUT -j LOG --log-prefix "filtered on INPUT "
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID Forward: "
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j LOG --log-prefix "filtered on FORWARD "
-A FORWARD -s 10.88.0.0/22 -i wlan0 -j ACCEPT
-A FORWARD -d 10.88.0.0/22 -o wlan0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 10.88.12.0/24 -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 203.0.113.92/32 -o wlan0 -p esp -j ACCEPT
-A OUTPUT -d 203.0.113.92/32 -o wlan0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -d 203.0.113.92/32 -o wlan0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID Output: "
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -j LOG --log-prefix "filtered on OUTPUT "
COMMIT
# Completed on Tue Oct 24 17:56:29 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Oct 24 17:56:29 2023
*nat
:PREROUTING ACCEPT [190:39368]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [20:1514]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o wlan0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 24 17:56:29 2023


Network interfaces
------------------
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.88.12.1  netmask 255.255.255.128  broadcast 10.88.12.127
        ether b8:27:eb:AA:AA:AA  txqueuelen 1000  (Ethernet)

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.88.87.244  netmask 255.255.255.0  broadcast 10.88.87.255
        ether b8:27:eb:BB:BB:BB  txqueuelen 1000  (Ethernet)


sysctl entries
--------------
net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.route_localnet=1
net.ipv4.conf.wlan0.route_localnet=1


Logs generated when trying to ping from 10.88.12.33 to 10.88.2.1
----------------------------------------------------------------
Oct 24 17:53:17 raspi kernel: [ 2378.215277] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:7c:14:00:00:3f:01:dc:c3 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31764 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=53 
Oct 24 17:53:18 raspi kernel: [ 2379.215437] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:0d:70:00:00:3f:01:4b:68 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=3440 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=54 
Oct 24 17:53:19 raspi kernel: [ 2380.216018] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:12:01:00:00:3f:01:46:d7 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=4609 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=55 
Oct 24 17:53:20 raspi kernel: [ 2381.221037] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:20:f6:00:00:3f:01:37:e2 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=8438 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=56 
Oct 24 17:53:21 raspi kernel: [ 2382.224893] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:69:3f:00:00:3f:01:ef:98 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=26943 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=57 
Oct 24 17:53:22 raspi kernel: [ 2383.229580] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:93:4e:00:00:3f:01:c5:89 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=37710 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=58 
Oct 24 17:53:23 raspi kernel: [ 2384.206943] filtered on OUTPUT IN= OUT=wlan0 SRC=172.20.10.7 DST=193.187.181.6 LEN=76 TOS=0x18 PREC=0xA0 TTL=64 ID=58576 DF PROTO=UDP SPT=123 DPT=123 LEN=56 
Oct 24 17:53:23 raspi kernel: [ 2384.231952] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:ed:bb:00:00:3f:01:6b:1c SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60859 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=59 
Oct 24 17:53:24 raspi kernel: [ 2385.236071] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:f5:56:00:00:3f:01:63:81 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=62806 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=60 
Oct 24 17:53:25 raspi kernel: [ 2386.239202] filtered on FORWARD IN=eth0 OUT=wlan0 MAC=b8:27:eb:AA:AA:AA:00:e0:4c:XX:XX:XX:08:00:45:00:00:54:68:27:00:00:3f:01:f0:b0 SRC=10.88.12.33 DST=10.88.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=26663 PROTO=ICMP TYPE=8 CODE=0 ID=39742 SEQ=61 
^C


OpenIKED Security Associations
------------------------------
raspi# ikectl show sa
iked_sas: 0x521cd0 rspi 0xfc372dd59a6a7135 ispi 0xe807599ca44293b8 10.88.87.244:500->203.0.113.92:500<FQDN/openbsd-server.example.com>[] ESTABLISHED i nexti (nil) pol 0x522dc0
  sa_childsas: 0x544fa8 ESP 0x25dbb484 out 10.88.87.244:500 -> 203.0.113.92:500 (L) B=(nil) P=0x545d10 @0x521cd0
  sa_childsas: 0x545d10 ESP 0xa8c1ee0a in 203.0.113.92:500 -> 10.88.87.244:500 (LA) B=(nil) P=0x544fa8 @0x521cd0
  sa_flows: 0x54a0c8 ESP out 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
  sa_flows: 0x549ce8 ESP out 10.88.12.0/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
  sa_flows: 0x549ed8 ESP in 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54a698 ESP out 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54a2b8 ESP out 10.88.12.128/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54a4a8 ESP in 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54ad68 ESP out 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54a888 ESP out 10.88.12.0/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54aa78 ESP in 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54b338 ESP out 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54af58 ESP out 10.88.12.128/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
  sa_flows: 0x54b148 ESP in 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_activesas: 0x544fa8 ESP 0x25dbb484 out 10.88.87.244:500 -> 203.0.113.92:500 (L) B=(nil) P=0x545d10 @0x521cd0
iked_activesas: 0x545d10 ESP 0xa8c1ee0a in 203.0.113.92:500 -> 10.88.87.244:500 (LA) B=(nil) P=0x544fa8 @0x521cd0
iked_flows: 0x549ed8 ESP in 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54aa78 ESP in 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a4a8 ESP in 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54b148 ESP in 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x549ce8 ESP out 10.88.12.0/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a2b8 ESP out 10.88.12.128/25 -> 10.88.0.0/22 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a888 ESP out 10.88.12.0/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
iked_flows: 0x54af58 ESP out 10.88.12.128/25 -> 203.0.113.92/32 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a0c8 ESP out 10.88.0.0/22 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54ad68 ESP out 203.0.113.92/32 -> 10.88.12.0/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54a698 ESP out 10.88.0.0/22 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_flows: 0x54b338 ESP out 203.0.113.92/32 -> 10.88.12.128/25 [0]@-1 (L) @0x521cd0
iked_dstid_sas: 0x521cd0 rspi 0xfc372dd59a6a7135 ispi 0xe807599ca44293b8 10.88.87.244:500->203.0.113.92:500<FQDN/openbsd-server.example.com>[] ESTABLISHED i nexti (nil) pol 0x522dc0
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux