[strongSwan] Routing

Discussion:

Christian Salway

2018-07-26 18:45:54 UTC

I'm having trouble getting routing to work.

I have the following setup

10.0.0.0/22 (clients) >> 35.178.182.221 (aws elastic ip) >> | 172.31.0.17 (eth0) > 172.31.92.251 (eth1) | >> 10.0.0.0/20 (remote network)

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
172.31.80.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1

If I add the following route manually, it allows me to connect from the server, but i cant get clients to route through.

route add -net 10.0.0.0/20 gateway 172.31.80.1 eth1

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 172.31.80.1 255.255.240.0 UG 0 0 0 eth1
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
172.31.80.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1

What am i missing??

Jafar Al-Gharaibeh

2018-07-26 22:00:26 UTC

Permalink

Chris,

Your server is connected to two subnets one of them has the default
gateway through eth0 (in the direction of your clients). When you add a
new route for 10.0.0.0/20 through eth1 then all 10.0.0.0/20 traffic is
going to go though that interface including 10.0.0.0/22 since the
latter is a subset of the former. You still have a default gateway
through eth0 but the route you add is going to be selected for
10.0.0.0/22 since it is more specific (preferred by the kernel) than the
default route. you either narrow down the route you add or just add a
new route to force 10.0.0.0/22 to still go through eth0. Using iproute2
commands here is what I'd do:

ip route add 10.0.0.0/22 dev eth0 via 172.31.0.1

ip route add 10.0.0.0/20 dev eth1 via 172.31.80.1

--Jafar

Post by Christian Salway
I'm having trouble getting routing to work.
I have the following setup
10.0.0.0/22 (clients) >> 35.178.182.221 (aws elastic ip) >> |
172.31.0.17 (eth0) > 172.31.92.251 (eth1) | >> 10.0.0.0/20 (remote
network)
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0
eth0
172.31.80.0 0.0.0.0 255.255.240.0 U 0 0
0 eth1
If I add the following route manually, it allows me to connect from
the server, but i cant get clients to route through.
route add -net 10.0.0.0/20 gateway 172.31.80.1 eth1
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0
eth0
10.0.0.0 172.31.80.1 255.255.240.0 UG 0 0
0 eth1
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
172.31.80.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1
What am i missing??

Christian Salway

2018-07-27 06:18:32 UTC

Permalink

Thanks, Jafar,

That didn't solve it though.

radius: #12, ESTABLISHED, IKEv2, 2f7f6a6d36925325_i 63ab06e78f39d832_r*
local '***********' @ *********[4500]
remote '192.168.0.31' @ *********[4500] EAP: 'christian.salway' [10.0.0.10]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 0s ago, rekeying in 13009s
passive: CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
child_sa_1: #12, reqid 5, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 0s ago, rekeying in 3491s, expires in 3960s
in c4b386cb, 0 bytes, 0 packets
out 066b00fc, 0 bytes, 0 packets
local 10.0.0.0/20
remote 10.0.0.10/32

# ip r
default via 172.31.16.1 dev eth0
10.0.0.0/22 via 172.31.16.1 dev eth0
10.0.0.0/20 via 172.31.48.1 dev eth1
172.31.16.0/20 dev eth0 proto kernel scope link src 172.31.21.144
172.31.48.0/20 dev eth1 proto kernel scope link src 172.31.51.247

On my OSX

$ netstat -nr
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 83 0 en0
default link#13 UCSI 0 0 ipsec0
10/20 10.0.0.1 UGSc 1 0 ipsec0
10.0.0.1 10.0.0.1 UH 2 0 ipsec0

Post by Jafar Al-Gharaibeh
ip route add 10.0.0.0/22 dev eth0 via 172.31.0.1

Christian Salway

2018-07-27 08:36:46 UTC

Permalink

I have also tried setting the clients to use a 192.168.5.0/24 ip range and that doesnt work either :/

I suspect its something I'm missing with StrongSwan and setting a route back to the client ip.

Post by Christian Salway
Thanks, Jafar,
That didn't solve it though.
radius: #12, ESTABLISHED, IKEv2, 2f7f6a6d36925325_i 63ab06e78f39d832_r*
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 0s ago, rekeying in 13009s
passive: CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
child_sa_1: #12, reqid 5, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 0s ago, rekeying in 3491s, expires in 3960s
in c4b386cb, 0 bytes, 0 packets
out 066b00fc, 0 bytes, 0 packets
local 10.0.0.0/20
remote 10.0.0.10/32
# ip r
default via 172.31.16.1 dev eth0
10.0.0.0/22 via 172.31.16.1 dev eth0
10.0.0.0/20 via 172.31.48.1 dev eth1
172.31.16.0/20 dev eth0 proto kernel scope link src 172.31.21.144
172.31.48.0/20 dev eth1 proto kernel scope link src 172.31.51.247
On my OSX
$ netstat -nr
Routing tables
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 83 0 en0
default link#13 UCSI 0 0 ipsec0
10/20 10.0.0.1 UGSc 1 0 ipsec0
10.0.0.1 10.0.0.1 UH 2 0 ipsec0

Post by Jafar Al-Gharaibeh
ip route add 10.0.0.0/22 dev eth0 via 172.31.0.1

Christian Salway

2018-07-27 09:54:15 UTC

Permalink

GOT IT!

It was a combination but the flaw was that net.ipv4.ip_forward = 1 didn't actually get set on cloud-init :(

The combination (for the record) was
net.ipv4.ip_forward = 1
ip route add 10.0.0.0/20 via ${GATEWAY1} dev eth1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Kind regards,

Christian Salway
IT Consultant - Naimuri

T: +44 7463 331432
E: ***@naimuri.com
A: Naimuri Ltd, Capstan House, Manchester M50 2UW

Post by Christian Salway
I have also tried setting the clients to use a 192.168.5.0/24 ip range and that doesnt work either :/
I suspect its something I'm missing with StrongSwan and setting a route back to the client ip.