I am using DO to host my Production server. I am currently building a DR env and having issues with forwarding traffic. I used the same kind of configs from the Production env, and it works fine (I even tried to clone the VM change the IP's and have same problem as a fresh install)
The server recieves packests on eth1, but does not send it out.(as it is supposed to on eth0, over the IPsec policy)
The DR-VPN server info is below ( Please note that the data is sanitised)
user@vpn-DR:~# ip a
eth0: 20.99.90.5/20
eth1: 10.10.0.2/20
user@vpn-DR:~# ipsec status
Security Associations (1 up, 0 connecting):
vpn-to-DR[1]: ESTABLISHED 46 minutes ago, 20.99.90.5[20.99.90.5]...x1.xx3.x.xx4[x1.xx3.x.xx4]
vpn-to-env{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0ac5230_i 0b8674b3_o
vpn-to-env{1}: 10.10.0.3/32 === x1.xx3.x.x9/32
These are the iptable settings
ser@vpn-DR:~# iptables-save
*filter
:INPUT ACCEPT [3881983:1293276786]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3858285:672322166]
-A FORWARD -s 10.10.0.0/16 -d x1.xx3.x.x9/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s x1.xx3.x.x9/32 -d 10.10.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [1266750:71807552]
:INPUT ACCEPT [1259384:71241122]
:OUTPUT ACCEPT [38114:4106963]
:POSTROUTING ACCEPT [38115:4107047]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/16 -o eth1 -j MASQUERADE
I have configured it to do forwarding
sudo sysctl -a | grep net.ipv4.conf.*.forwarding
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.bc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
Additional information by doing a trace on the IPtables
########## production
[6814683.211912] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.211979] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212037] TRACE: filter:FORWARD:rule:3 IN=eth1 OUT=eth0 MAC=52:68: SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212053] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.132.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
root@VPN_PROD:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
3 MASQUERADE udp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
4 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16
5 MASQUERADE all -- 10.13.0.0/16 0.0.0.0/0
root@VPN_PROD:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.13.0.0/16 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.13.0.0/16 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.13.0.0/16 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.13.0.0/16 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
root@VPN_PROD:~#
and the Trace from DR
######## DR
[ 3152.620125] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620202] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620265] TRACE: filter:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=c2:6251: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620283] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.108.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
root@vpn-DR:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
3 MASQUERADE udp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
4 MASQUERADE all -- 10.10.0.0/20 0.0.0.0/0
root@vpn-DR:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.10.0.0/20 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.10.0.0/20 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.10.0.0/20 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.10.0.0/20 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination