Hi All- So I have a need to direct all web traffic through an IPSEC Tunnel to a Squid Proxy server on the other end of the tunnel. Sounds complicated but the concept is really easy however I am having issues. So let me gather as much info as I can: *Location 1 Subnet:* 192.168.1.0/24 *Location 1 Router 1:* Netgear WNR2000v3 running Firmware: DD-WRT v24-sp2 (02/09/12) std *Location 1 Router 2:* TPLink TL-R600VPN - VPN Router Housing the IPSEC Tunnel *Location 2 Subnet:* 192.168.100.0/24 *Location 2 Router 1:* Linksys WRT310Nv2 running Firmware: DD-WRT v24-sp2 (08/12/10) std-nokaid-small *Location 2 Router 2:* TPLink TL-R600VPN - VPN Router Housing the IPSEC Tunnel Location 1's proxy server is housed on VMware Workstation Version 10 with Centos 6.4 Minimal with squid proxy installed. *Description of Issue* So when I enter the proxy server info in System proxy and open a webpage, the page sits there until it times out. It never displays anything. I can see that the proxy server is interpreting the request but on the client from Location 2 to location 1's proxy server is unable to browse the internet. Now the funny thing is, as a test I created the same proxy on location 2's side, location 1 can browse the internet fine and I can tell from whatismyip.com as well as from logs that everything is fine. I checked all required firewalls (iptables) and squid configs. Even tried turning off iptables on the router as well as on the proxy server and included "http_access allow all" with no success. Why it works one direction versus the other? I have no idea. I validated every Hops config and they are all identical in their firewall settings and squid proxy settings. Any help would be greatly appreciated! Showing configs below: Here's the squid Config: acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 192.168.2.0/24 192.168.100.0/24 192.168.1.0/24 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 80 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Here are some logs to show the request is hitting the squid server: &user_id=150566193&nid=2&ts=1389816137 - NONE/- text/html 1389816227.699 58 192.168.100.73 TCP_MISS/200 360 GET http://notify4.dropbox.com/subscribe? - DIRECT/108.160.162.51 text/plain 1389816279.774 0 192.168.100.73 TCP_MEM_HIT/301 736 GET http://google.com/ - NONE/- text/html 1389816279.934 136 192.168.100.73 TCP_MISS/302 1186 GET http://www.google.com/ - DIRECT/74.125.239.17 text/html 1389816285.846 5857 192.168.100.73 TCP_MISS/200 3539 CONNECT www.google.com:443 - DIRECT/74.125.239.17 - 1389816288.123 0 192.168.100.73 TCP_MEM_HIT/301 736 GET http://google.com/ - NONE/- text/html 1389816288.207 42 192.168.100.73 TCP_MISS/302 1186 GET http://www.google.com/ - DIRECT/74.125.239.17 text/html 1389816294.935 6671 192.168.100.73 TCP_MISS/200 3539 CONNECT www.google.com:443 - DIRECT/74.125.239.17 - 1389816378.040 60130 192.168.100.73 TCP_MISS/200 3828 CONNECT client-lb.dropbox.com:443 - DIRECT/108.160.165.83 - 1389816387.059 60128 192.168.100.73 TCP_MISS/200 4242 CONNECT d.dropbox.com:443 - DIRECT/108.160.165.189 - 1389816408.033 180281 192.168.100.73 TCP_MISS/200 3828 CONNECT client-lb.dropbox.com:443 - DIRECT/108.160.166.9 - 1389816422.068 0 192.168.100.73 NONE/400 3874 GET /subscribe?host_int=819546594&ns_map=241516770_170677946892514,261374389_5265891279285,241514999_1122846426610167&user_id=150566193&nid=2&ts=1389816421 - NONE/- text/html *IPTables on squid server:* # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 192.168.1.0/24 -j ACCEPT -A INPUT -s 192.168.100.0/24 -j ACCEPT -A FORWARD -s 192.168.100.0/24 -i eth0 -j ACCEPT -A FORWARD -s 192.168.1.0/24 -i eth0 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Issue-with-Web-Traffic-through-IPSEC-Tunnel-to-a-Squid-Proxy-tp4664319.html Sent from the Squid - Users mailing list archive at Nabble.com.
