Below I have extracted the relevant firewall rules. The below ruleset works however I do not understand why I have to set "--mode transport" in the INPUT chain instead of "--mode tunnel". If I set"--mode = tunnel" I cannot ping the gateway or the hosts behind that gateway. I have been looking for documentation explaining how netfilter and ipsec stack work together but the only docs I have found have been vague (including the wiki). <br>
<br>Setup:<br>Our setup is far from ideal but I had to wok with what we had.<br>Subnet -> Openswan(NAT,<a href="http://172.16.0.0/24">172.16.0.0/24</a>) -> Cable Modem (NAT, <a href="http://10.1.1.0/24">10.1.1.0/24</a>) -> Internet <- Cable Modem (NAT, <a href="http://10.1.10.0/24">10.1.10.0/24</a>) <- Openswan(NAT, <a href="http://172.16.2.0/24">172.16.2.0/24</a>) <- Subnet<br>
<br>----------------------------------------------------------<br># IPSec (IKE, ESP, NAT-T)<br>$IPTABLES -A INPUT -p udp --dport 500 -j ACCEPT<br>$IPTABLES -A INPUT -p esp -j ACCEPT<br>$IPTABLES -A INPUT -p udp --dport 4500 -j ACCEPT<br>
<br># Accept connections from various subnets<br>$IPTABLES -A INPUT -i $INT_INF -s <a href="http://172.16.2.0/24">172.16.2.0/24</a> -m state --state NEW -j ACCEPT<br>#$IPTABLES -A INPUT -m policy --dir in --pol ipsec --mode tunnel --tunnel-src <a href="http://172.16.0.0/24">172.16.0.0/24</a> -j ACCEPT<br>
#$IPTABLES -A INPUT -m policy --dir in --pol ipsec --mode tunnel --tunnel-src <a href="http://172.16.1.0/24">172.16.1.0/24</a> -j ACCEPT<br>#$IPTABLES -A INPUT -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT<br><b>$IPTABLES -A INPUT -m policy --dir in --pol ipsec --mode transport -j ACCEPT</b><br>
<br><br># Allow forwarding of connections for various subnetworks<br>$IPTABLES -A FORWARD -i $INT_INF -s <a href="http://172.16.2.0/24">172.16.2.0/24</a> -m state --state NEW -j ACCEPT<br>$IPTABLES -A FORWARD -m policy --dir in --pol ipsec --mode tunnel -s <a href="http://172.16.0.0/24">172.16.0.0/24</a> -j ACCEPT<br>
$IPTABLES -A FORWARD -m policy --dir in --pol ipsec --mode tunnel -s <a href="http://172.16.1.0/24">172.16.1.0/24</a> -j ACCEPT<br><br><br>-----------------------------------------------------------------------<br>ip xfrm policy:<br>
src <a href="http://172.16.1.0/24">172.16.1.0/24</a> dst <a href="http://172.16.2.0/24">172.16.2.0/24</a><br> dir in priority 2344<br> tmpl src xx.xx.xx.xx dst 10.1.1.3<br> proto comp reqid 16386 mode tunnel<br>
level use<br> tmpl src 0.0.0.0 dst 0.0.0.0<br> proto esp reqid 16385 mode transport<br>src <a href="http://172.16.1.0/24">172.16.1.0/24</a> dst <a href="http://172.16.2.0/24">172.16.2.0/24</a><br>
dir fwd priority 2344<br> tmpl src xx.xx.xx.xx dst 10.1.1.3<br> proto comp reqid 16386 mode tunnel<br> level use<br> tmpl src 0.0.0.0 dst 0.0.0.0<br> proto esp reqid 16385 mode transport<br>
src <a href="http://172.16.2.0/24">172.16.2.0/24</a> dst <a href="http://172.16.1.0/24">172.16.1.0/24</a><br> dir out priority 2344<br> tmpl src 10.1.1.3 dst 68.57.21.118<br> proto comp reqid 16386 mode tunnel<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br> proto esp reqid 16385 mode transport<br>src <a href="http://172.16.0.0/24">172.16.0.0/24</a> dst <a href="http://172.16.2.0/24">172.16.2.0/24</a><br> dir in priority 2344<br>
tmpl src xx.xx.xx.xx dst 10.1.1.3<br> proto comp reqid 16390 mode tunnel<br> level use<br> tmpl src 0.0.0.0 dst 0.0.0.0<br> proto esp reqid 16389 mode transport<br>
src <a href="http://172.16.0.0/24">172.16.0.0/24</a> dst <a href="http://172.16.2.0/24">172.16.2.0/24</a><br> dir fwd priority 2344<br> tmpl src xx.xx.xx.xx dst 10.1.1.3<br> proto comp reqid 16390 mode tunnel<br>
level use<br> tmpl src 0.0.0.0 dst 0.0.0.0<br> proto esp reqid 16389 mode transport<br>src <a href="http://172.16.2.0/24">172.16.2.0/24</a> dst <a href="http://172.16.0.0/24">172.16.0.0/24</a><br>
dir out priority 2344<br> tmpl src 10.1.1.3 dst xx.xx.xx.xx<br> proto comp reqid 16390 mode tunnel<br> tmpl src 0.0.0.0 dst 0.0.0.0<br> proto esp reqid 16389 mode transport<br>
<br>----------------------------------------------------------------<br>ipsec.conf:<br>version 2.0<br><br>config setup<br> interfaces=%defaultroute<br> protostack=netkey<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24,$v:!172.16.2.0/24">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24,$v:!172.16.2.0/24</a><br>
nhelpers=0<br><br>conn conn1<br> type=tunnel<br> authby=secret<br> pfs=yes<br> ike=aes256-sha1-1536<br> esp=aes256-sha1-1536<br> keyexchange=ike<br> compress=yes<br>
keyingtries=3<br> rekey=yes<br> dpddelay=30<br> dpdtimeout=30<br> dpdaction=restart<br> left=10.1.1.3<br> leftid=@ID<br> leftsourceip=172.16.2.1<br> leftsubnet=<a href="http://172.16.2.0/24">172.16.2.0/24</a><br>
right=xx.xx.xx.xx<br> rightid=@ID<br> rightsourceip=172.16.0.1<br> rightsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a><br> auto=start<br><br>*connection 2 is identical to the 1st except for the ids & subnets<br>
<br>