[squid-users] Issue with Web Traffic through IPSEC Tunnel to a Squid Proxy

Hi All-
So I have a need to direct all web traffic through an IPSEC Tunnel to a
Squid Proxy server on the other end of the tunnel.

Sounds complicated but the concept is really easy however I am having
issues.

So let me gather as much info as I can:

*Location 1 Subnet:* 192.168.1.0/24
*Location 1 Router 1:* Netgear WNR2000v3 running Firmware: DD-WRT v24-sp2
(02/09/12) std
*Location 1 Router 2:* TPLink TL-R600VPN - VPN Router Housing the IPSEC
Tunnel
 
*Location 2 Subnet:* 192.168.100.0/24
*Location 2 Router 1:* Linksys WRT310Nv2 running Firmware: DD-WRT v24-sp2
(08/12/10) std-nokaid-small
*Location 2 Router 2:* TPLink TL-R600VPN - VPN Router Housing the IPSEC
Tunnel

Location 1's proxy server is housed on VMware Workstation Version 10 with
Centos 6.4 Minimal with squid proxy installed.

*Description of Issue* So when I enter the proxy server info in System proxy
and open a webpage, the page sits there until it times out. It never
displays anything. I can see that the proxy server is interpreting the
request but on the client from Location 2 to location 1's proxy server is
unable to browse the internet.

Now the funny thing is, as a test I created the same proxy on location 2's
side, location 1 can browse the internet fine and I can tell from
whatismyip.com as well as from logs that everything is fine. I checked all
required firewalls (iptables) and squid configs. Even tried turning off
iptables on the router as well as on the proxy server and included
"http_access allow all" with no success.

Why it works one direction versus the other? I have no idea. I validated
every Hops config and they are all identical in their firewall settings and
squid proxy settings.

Any help would be greatly appreciated!

Showing configs below:

Here's the squid Config:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1 192.168.2.0/24 192.168.100.0/24
192.168.1.0/24
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 80

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Here are some logs to show the request is hitting the squid server:
&user_id=150566193&nid=2&ts=1389816137 - NONE/- text/html
1389816227.699 58 192.168.100.73 TCP_MISS/200 360 GET
http://notify4.dropbox.com/subscribe? - DIRECT/108.160.162.51 text/plain
1389816279.774 0 192.168.100.73 TCP_MEM_HIT/301 736 GET
http://google.com/ - NONE/- text/html
1389816279.934 136 192.168.100.73 TCP_MISS/302 1186 GET
http://www.google.com/ - DIRECT/74.125.239.17 text/html
1389816285.846 5857 192.168.100.73 TCP_MISS/200 3539 CONNECT
www.google.com:443 - DIRECT/74.125.239.17 -
1389816288.123 0 192.168.100.73 TCP_MEM_HIT/301 736 GET
http://google.com/ - NONE/- text/html
1389816288.207 42 192.168.100.73 TCP_MISS/302 1186 GET
http://www.google.com/ - DIRECT/74.125.239.17 text/html
1389816294.935 6671 192.168.100.73 TCP_MISS/200 3539 CONNECT
www.google.com:443 - DIRECT/74.125.239.17 -
1389816378.040 60130 192.168.100.73 TCP_MISS/200 3828 CONNECT
client-lb.dropbox.com:443 - DIRECT/108.160.165.83 -
1389816387.059 60128 192.168.100.73 TCP_MISS/200 4242 CONNECT
d.dropbox.com:443 - DIRECT/108.160.165.189 -
1389816408.033 180281 192.168.100.73 TCP_MISS/200 3828 CONNECT
client-lb.dropbox.com:443 - DIRECT/108.160.166.9 -
1389816422.068 0 192.168.100.73 NONE/400 3874 GET
/subscribe?host_int=819546594&ns_map=241516770_170677946892514,261374389_5265891279285,241514999_1122846426610167&user_id=150566193&nid=2&ts=1389816421
- NONE/- text/html

*IPTables on squid server:*
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -j ACCEPT
-A FORWARD -s 192.168.100.0/24 -i eth0 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -i eth0 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Issue-with-Web-Traffic-through-IPSEC-Tunnel-to-a-Squid-Proxy-tp4664319.html
Sent from the Squid - Users mailing list archive at Nabble.com.