BTR Naidu's questions

I have a setup which I dont think is very difficult but cant get it to work.

Working setup: An ipsec server running in a docker connected directly to internet. The clients can connect.

Not working setup: An ipsec server running in a docker connected to internet behind a firewall. I have node1 in an esxi server which acts as internet gateway and node2 running in same esxi server which has ipsec server running in a docker.

I have opened ports 500 and 4500 in node1 (internet gateway) and forwarded to node2 (running ipsec server in a docker).
The issue I am facing is, the clients are not able to connect.

Below is the iptables firewall rule

-A FORWARD -d 192.168.2.37/32 -o ens34 -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -d 192.168.2.37/32 -o ens34 -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -d 192.168.2.37/32 -o ens34 -p udp -m udp --dport 53 -j ACCEPT

Not able to spot what else is missing. Can someone advise if my setup is correct and why it is not working?

I am using charon-cmd to connect to strongswan vpn on a ubuntu host. When I use the command, it gives me some kind of permission error.

root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12  --identity [email protected] 
00[KNL] kernel-libipsec plugin requires CAP_NET_ADMIN capability
00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability
00[KNL] unable to bind XFRM event socket
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 50817 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 50817 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-cmd' has unmet dependency: CUSTOM:kernel-ipsec
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv4 routing table rule
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv6 routing table rule
00[LIB] failed to load 1 critical plugin feature
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] received netlink error: Operation not permitted (1)
root@8add2362b05f:~#

I am doing this on a docker container.

I tried setcap but that made the situation even worse.

root@8add2362b05f:~# setcap cap_net_admin,cap_net_raw=eip /usr/sbin/charon-cmd 
root@8add2362b05f:~# getcap /usr/sbin/charon-cmd /usr/sbin/charon-cmd = cap_net_admin,cap_net_raw+eip
root@8add2362b05f:~# 
root@8add2362b05f:~# 
root@8add2362b05f:~# sudo charon-cmd --host example.com --p12 ipsec_vpn_vert/client.cert.p12  --identity [email protected] 
sudo: unable to execute /usr/sbin/charon-cmd: Operation not permitted
root@8add2362b05f:~#

Any clues on how to solve this?

I have below ppp0 config under peers directory

pty "pptp vpnserveraddress.com --nolaunchpppd"
name vpnusername
password vpnpassword
remotename PPTP
require-mppe-128
defaultroute
usepeerdns
debug

after connecting the route does not get added with error not replacing existing default route via eth0_default_gw_route_ip.

Also ping -I ppp0 google.comgives nothing.

What am I missing here in the config?

I am doing this on centos.

I am using centos and iptables complains about the Max prefix length which is 29 for --log-prefix option. How can I increase this limit?

I have a fail2ban configured like below:

• block the ip after 3 failed attempts
• release the IP after 300 sec timeout

This works perfectly and I want to keep it this way such that a valid user gets a chance to retry the login after the timeout. Now, I want to implement a rule where if same IP is been detected as attack and blocked, unblocked 5 times, permanently block the IP and never unblock again. Can this be achieved with fail2ban alone or I need to write my own script to do that?

I am doing this in centos.