I am trying to reproduce the schema like in strongswan test net2net-gw, but with "moon" and "sun" behind NAT (see https://www.strongswan.org/testing/testresults/swanctl/net2net-gw/). So far CA configured, certs issued, mikrotik's configured, i can establish tunnels and have SA set, but i can't ping one site from another.
Carol config :
connections {
gw-base {
local {
auth = pubkey
certs = carol.crt
id = carol
}
remote {
auth = pubkey
}
children {
net {
esp_proposals = aes128-sha1-modp2048,aes256-sha256-modp2048
}
}
version = 2
mobike = no
proposals = aes128-sha1-modp2048,aes256-sha256-modp2048
pools = pool-ipv4
}
gw-moon : connections.gw-base{
remote {
id = moon
}
children {
net {
local_ts = 192.168.3.0/24
remote_ts = 192.168.1.0/24
updown = /usr/libexec/strongswan/_updown iptables
}
}
}
gw-sun : connections.gw-base {
remote {
id = sun
}
children {
net {
local_ts = 192.168.1.0/24
remote_ts = 192.168.3.0/24
updown = /usr/libexec/strongswan/_updown iptables
}
}
}
}
pools {
pool-ipv4 {
addrs = 192.168.99.0/24
}
}
here is "moon" mikrotik config local subnet 192.168.1.0/24 :
/ip ipsec mode-config
add name=ike2 responder=no
/ip ipsec policy group
add name=ike2
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128
add dh-group=modp2048 enc-algorithm=aes-128 name=ike2
/ip ipsec peer
add address=carol exchange-mode=ike2 name=ike2 profile=ike2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike2 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=moon.p12_0 generate-policy=port-strict mode-config=ike2 notrack-chain=prerouting peer=ike2 policy-template-group=ike2
/ip ipsec policy
add dst-address=192.168.3.0/24 group=ike2 proposal=ike2 src-address=192.168.1.0/24 template=yes
/ip ipsec settings
set accounting=no
here is "sun" mikrotik config local subnet 192.168.3.0/24 :
/ip ipsec mode-config
add name=ike2 responder=no
/ip ipsec policy group
add name=ike2
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128
add dh-group=modp2048 enc-algorithm=aes-128 name=ike2
/ip ipsec peer
add address=carol exchange-mode=ike2 name=ike2 profile=ike2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike2 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=sun.p12_0 generate-policy=port-strict mode-config=ike2 notrack-chain=prerouting peer=ike2 policy-template-group=ike2
/ip ipsec policy
add dst-address=192.168.1.0/24 group=ike2 proposal=ike2 src-address=192.168.3.0/24 template=yes
/ip ipsec settings
set accounting=no
"carol" output for swanctl -l
gw-moon: #12, ESTABLISHED, IKEv2, 278ded8c94f60a25_i dc1ea6a863cbbc3f_r*
local 'carol' # PUBLICIP[4500]
remote 'moon' # NATIP[9860] [192.168.99.1]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 1938s ago, rekeying in 11168s
net: #11, reqid 8, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 498s ago, rekeying in 2840s, expires in 3462s
in cb0314bb, 0 bytes, 0 packets
out 0159b817, 0 bytes, 0 packets
local 192.168.3.0/24
remote 192.168.1.0/24
gw-sun: #11, ESTABLISHED, IKEv2, b972f69efe68b876_i 1c57914f302e627b_r*
local 'carol' # PUBLICIP[4500]
remote 'sun' # NATIP[4500] [192.168.99.2]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 1962s ago, rekeying in 11975s
net: #10, reqid 7, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 519s ago, rekeying in 2890s, expires in 3441s
in c3a515f5, 2856 bytes, 34 packets, 0s ago
out 0b5614c6, 0 bytes, 0 packets
local 192.168.1.0/24
remote 192.168.3.0/24
"carol" iptables have :
-A FORWARD -s 192.168.1.0/24 -d 192.168.3.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -d 192.168.1.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 7 --proto esp -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 7 --proto esp -j ACCEPT
"carol" has sysctl
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
"carol" tcpdump net 192.168.0.0/16 when i run ping from one of workstations 192.168.3.254 behind "sun" :
08:46:57.820968 IP 192.168.3.254 > 192.168.1.1: ICMP echo request, id 30901, seq 357, length 64
08:46:57.821075 IP PUBLICIP > 192.168.1.1: ICMP echo request, id 30901, seq 357, length 64
PUBLICIP = carols public internet ip
NATIP = sun & moon nat ip
whet i try to ping 192.168.1.1 from "sun" i see that packet counter for increases, but no reply,
the same as if i ping 192.168.3.1 from "moon". BUT if i disconnect "sun" and add virtual ip address 192.168.3.1 to carol ip addr add 192.168.3.1/24 dev eth0 ping from "moon" to 192.168.3.1 succeeds, but strange thing - i cant ping "moon" from carol...
Thank's for any advice in advance :)
I'm trying to do a simple UDP server using OCaml and the Async API but I'm stuck. I can't make this simple example work.
let wait_for_datagram () : unit Deferred.t =
let port = 9999 in
let addr = Socket.Address.Inet.create Unix.Inet_addr.localhost ~port in
let%bind socket = Udp.bind addr in
let socket = Socket.fd socket in
let stop = never () in
let config = Udp.Config.create ~stop () in
let callback buf _ : unit = failwith "got a datagram" in
Udp.recvfrom_loop ~config socket callback
I test it with:
echo -n "hello goodbye" > /dev/udp/localhost/9999
Nothing happens in my program. I tried to investigate with other tools.
I see a destination unreachable packet with Wireshark and lsof shows me this:
> lsof -i :9999
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
main.exe 77564 nemo 5u IPv4 0x25251bcc3485235f 0t0 UDP localhost:distinct
What am I doing wrong here?
The code looks ok to me. I think localhost is resolved to IPv6 address by default, and you just send it there.
Try to force using IPv4 protocol
echo -n "hello goodbye" | nc -4 -u -w0 localhost 9999
or specify explicit IPv4 address
echo -n "hello goodbye" > /dev/udp/127.0.0.1/9999
I have configured postfix to send received email to local LMTP agent using virtual_mailbox_domains parameter it works fine if the received email is received for FQDN of the machine running postfix but if it's for the IP address of the machine then it throws the following error "Recipient address rejected: User unknown in local recipient table". Tried different things but no luck. I would really appreciate any tips on this scenario.
Thanks for your help in advance!
Here is the topology:
IP FQDN
Machine A (sending machine) 10.2.20.40 machine-a.test.com
Machine B (Postfix + LMTP) 10.2.20.50 mta.test.com
Machine B is running postfix + custom LMTP.
Example 1 (succeeds)
Send email to user#mta.test.com from Machine A. This use case succeeds and Postfix successfully delivers email to customer LMTP agent listening on localhost's socket.
Success case /etc/postfix/main.cf:
virtual_mailbox_domains = mta.test.com
/etc/postfix/virtual_mailbox_map:
user#mta.test.com lmtp:inet:127.0.0.1:5678
Example 2 (Failed case)
Send email to user#10.2.20.50 from Machine A. This case fails and Postfix throws this error in mail.log "NOQUEUE: reject: RCPT from unknown[10.2.20.40]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo=<[127.0.1.1]>"
Failure case /etc/postfix/main.cf:
virtual_mailbox_domains = 10.2.20.50
/etc/postfix/virtual_mailbox_map:
user#10.2.20.50 lmtp:inet:127.0.0.1:5678
POSTFIX main.cf (Common config part for both cases):
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
inet_interfaces = all
inet_protocols = all
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
recipient_delimiter = +
smtpd_client_restrictions = permit_mynetworks, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, permit, reject_unauth_destination
resolve_numeric_domain = yes
unknown_local_recipient_reject_code = 550
myhostname = mta-machine
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_map
virtual_transport = lmtp:inet:127.0.0.1:5678
user#10.2.20.50 is incorrect syntax.
user#[10.2.20.50] is what the RFC allows for.
But anyway: Since Postfix says "User unknown in local recipient table", the domain part is considered to be local. Not virtual.
You could try adding:
[10.2.20.50] is_a_virtual_domain
user#[10.2.20.50] someother#address
to virtual_alias_maps and check if it works, but I'm not sure about this at all.
#[10.2.20.50] syntax is rather byzantine.
server A(master): nginx 1.9.9 + keepalived 1.2.19, IP: 9.110.95.90
server B(backup): nginx 1.9.9 + keepalived 1.2.19, IP: 9.110.95.91
VIP(virtual IP): 9.110.95.95
nginx bind on all interfaces.
iptables configuration:
iptables -I INPUT -i eth1 -d 224.0.0.0/8 -p vrrp -j ACCEPT
iptables -I OUTPUT -o eth1 -d 224.0.0.0/8 -p vrrp -j ACCEPT
Keepalived configuration:
server A
global_defs {
router_id LVS_MASTER
}
vrrp_script chk_nginx {
script "killall -0 nginx"
interval 2
}
vrrp_instance VI_1 {
state MASTER
interface eth1
virtual_router_id 51
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass my_pass
}
virtual_ipaddress {
9.110.95.95
}
track_script {
chk_nginx
}
}
server B
global_defs {
router_id LVS_BACKUP
}
vrrp_script chk_nginx {
script "killall -0 nginx"
interval 2
}
vrrp_instance VI_1 {
state BACKUP
interface eth1
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass my_pass
}
virtual_ipaddress {
9.110.95.95
}
track_script {
chk_nginx
}
}
It works fine at beginning when accessing the VIP (9.110.95.95), and it also failover to backup node successfully, if stopped keepalived on master node.
Everything seems to be fine, BUT the client failed to access the VIP after some time later, probably several minutes. and if access the server A/B IP(9.110.95.90, 9.110.95.91) it works.
Not sure what's the issue, any ideas?
Thanks
i'm working on freebsd 9, and my pf.conf is below
#cat /etc/pf.conf
int_if = "em1"
emi = "127.0.0.1"
rdr on $int_if proto tcp from any to any port 12345 -> $emi port 1010
# pfctl -vvvvnf /etc/pf.conf
int_if = "em1"
emi = "127.0.0.1"
#0 rdr on em1 inet proto tcp from any to any port = 12345 -> 127.0.0.1 port 1010
#
and this rules works fine when i tested in other ip -> to local
but i want to apply this rules when local -> local
is this possible ?
Add the same rule for the lo0 interface