0

On the Server are two connection established (IPSec and from OpenVPN client). On the server I see subnet in IPSec, but not from OpenVPN client. On the server is firewalld active, here is public zone:

    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0 eth1
      sources:
      services: cockpit dhcpv6-client openvpn ssh
      ports: 500/udp 4500/udp
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
        rule protocol value="esp" accept

and dmz zone with tun0 interface

dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun0
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

here is route table:

default via publicIP dev eth0 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5 metric 100
10.19.0.0/16 via 10.19.0.1 dev eth0 proto static metric 100
publicNET/20 dev eth0 proto kernel scope link src publicIP metric 100

Thank you for your advice!

UPDATE

ip xfrm policy:

src 10.19.0.0/16 dst 192.168.178.0/24
    dir out priority 379519 ptype main
    tmpl src SERVER1 dst SERVER2
        proto esp spi 0x4a7f1596 reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
    dir fwd priority 379519 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
    dir in priority 379519 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 71 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main

Here is Strongswan config:

# Add connections here.
conn %default
        left=SERVER1
        leftsourceip=SERVER1
        leftid=SERVER1
        leftsubnet=10.19.0.0/16
        authby=secret
        auto=start

conn home
        ike=aes256-sha-modp1024
        esp=aes256-sha1-modp1024
        right=SERVER2
        rightid=@SERVER2
        rightsubnet=192.168.178.0/24
        ikelifetime=3600s
        keylife=3600s

UPDATE #2

ipsec.conf

conn %default
        left=SERVER1
        leftsourceip=SERVER1
        leftid=SERVER1
        leftsubnet=10.19.0.0/16,10.8.0.0/24
        authby=secret
        auto=start

xfrm policy:

src 10.8.0.0/24 dst 192.168.178.0/24
    dir out priority 375423 ptype main
    tmpl src SERVER1 dst SERVER2
        proto esp spi 0xc4247488 reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
    dir fwd priority 375423 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
    dir in priority 375423 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main

aswell direct rules for firewalld:

<direct>
  <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-m policy --pol ipsec --dir out -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -j DROP</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-d 192.168.178.0/24 -j DROP</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.19.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.8.0.0/24 -m policy --dir in --pol ipsec -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.19.0.0/16 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.8.0.0/24 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
</direct>

and openvpn server config:

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 176.103.130.130"
push "dhcp-option DNS 176.103.130.131"
#push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.178.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_21QCUO0cRXlOaJFT.crt
key server_21QCUO0cRXlOaJFT.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3
kbu
  • 255
  • 4
  • 13
  • When working with IPSec, you also have to check the `xfrm` policies, which decide whether to encrypt or drop packets. Edit your question and add the output of `ip xfrm policy show src 10/8 dst 10/8`. – Piotr P. Karwasz Mar 06 '20 at 22:42
  • This command give nothing back – kbu Mar 09 '20 at 07:12
  • You can try without the filter condition: `ip xfrm policy` – Piotr P. Karwasz Mar 09 '20 at 07:46
  • above is the output – kbu Mar 09 '20 at 07:57
  • The policy only allows forwarding between `192.168.178.0/24` (local network on the other side of the tunnel, I presume) and `10.19.0.0/16`. You might want to extend it to `10.0.0.0/8` (`left|rightsubnetwork` if you use `ipsec.conf` or `local|remote_ts` if you use `swanctl.conf`). You may add the configuration file for IPSec to the question. – Piotr P. Karwasz Mar 09 '20 at 11:20
  • I've updated topic. Thank you! Could you pls tell me, how could I extend correctly the policy? – kbu Mar 09 '20 at 14:35

2 Answers2

0

The problem was solved with static route in ovpn and iptables rule:

iptables -t nat -A POSTROUTING -p all -s 10.8.0.0/24 -d 192.168.178.0/24 -j SNAT --to-source 10.19.0.5
kbu
  • 255
  • 4
  • 13
0

In order to configure routing between IPSec clients and OpenVPN clients, you must add 10.8.0.0/24 to the leftsubnet option. Your %default section should look like:

conn %default
    # IKEv1 does not support multiple subnets.
    keyexchange=ikev2
    left=SERVER1
    leftsourceip=SERVER1
    leftid=SERVER1
    leftsubnet=10.19.0.0/16,10.8.0.0/24
    authby=secret
    auto=start

This will add on each client:

  1. an additional route (in table 220, cf. ip route show table 220) of the form 10.8.0.0/24 via <real_gateway> dev <real_interface>.
  2. three additional xfrm policies, which state that traffic between 10.8.0.0/24 and 192.168.178.0/24 must be encrypted and sent to SERVER1.

To configure routing in the other direction add:

push "route 192.168.178.0 255.255.255.0"

to the OpenVPN server config.

After reloading both charon and the OpenVPN server, only the firewall may stand in the way of bidirectional communication. You might want to add the following rules:

# Insert instead of append, so the order is reversed
# 3. Drop the remaining (unencrypted) traffic from/to IPSec tunnel.
#    This will block private traffic from reaching the Internet,
#    when the tunnel is down.
iptables -I FORWARD -s 192.168.178.0/24 -j DROP
iptables -I FORWARD -d 192.168.178.0/24 -j DROP
# 2. Allow encrypted traffic from IPSec tunnel
iptables -I FORWARD -s 192.168.178.0/24 -d 10.19.0.0/16 \
    -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -s 192.168.178.0/24 -d 10.8.0.0/24 \
    -m policy --dir in --pol ipsec -j ACCEPT
# 1. Allow encrypted traffic to IPSec tunnel
iptables -I FORWARD -s 10.19.0.0/16 -d 192.168.178.0/24 \
    -m policy --dir out --pol ipsec -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.178.0/24 \
    -m policy --dir out --pol ipsec -j ACCEPT

or their firewalld equivalent.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • Added update#2 but not traffic between subnets. But if firewalld is stopped, I can access subnet 192.168.178.0 – kbu Mar 09 '20 at 18:22
  • Check the firewall settings, especially the order of the rules. In the answer they are in reversed order, so the order will be correct when inserting (`-I`) at the top of the chain. If possible disable the firewall and put an `iptables -A FORWARD -j LOG` rule to log forwarded traffic (into the kernel's log ring, accessible, e.g. through `journalctl -k` or `dmesg`). – Piotr P. Karwasz Mar 09 '20 at 18:33
  • here is the subnets communication after ipsec reconnect: https://pastebin.com/JQULpnxR – kbu Mar 09 '20 at 18:44
  • I've reseted everything. Now I have only route push in openvpn server and direct rule in firewalld: -s 10.8.0.0/24 -d 192.168.178.0/24 -j SNAT --to-source 10.19.0.5 And everything work after reboot – kbu Mar 09 '20 at 20:11
  • The log shows a bidirectional communication between `10.8.0.2` and `192.168.178.1`, which was your goal. – Piotr P. Karwasz Mar 09 '20 at 20:15