Здравствуйте! Помогите решить проблему. Есть VPN сервер под управлением CentOS 6. На нем уже подняты и работают службы squid, openvpn, pptp. Squid работает в режиме прозрачного прокси и пользователи подключившиеся к серверу ходят через него. Сейчас пытаюсь настроить ipsec (strongswan), но в процессе настройки возникла проблема. Если в iptables включен просто nat, без перенаправления 80 порта на squid, сайты по http и https открываются, а если я заворачиваю 80 порт то http не работает только https. Проблема как я предполагаю в squid, только найти ее самостоятельно у меня не получилось, поэтому прошу вашей помощи.
Linux vpn 2.6.32-504.8.1.el6.i686 #1 SMP Wed Jan 28 18:25:26 UTC 2015 i686 i686 i386 GNU/Linux
Squid Cache: Version 3.4.10
configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -fPIC' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
iptables
-A PREROUTING -s 10.9.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m comment --comment "HTTPs" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -m comment --comment "OpenVPN" -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT
-A INPUT -i ipsec+ -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT
-A INPUT -i ppp+ -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT
-A INPUT -i ipsec+ -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -m comment --comment "PPTP" -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m comment --comment "OpenVPN" -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -m comment --comment "IPSec" -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -m comment --comment "IPSec" -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -i tun0 -o ppp+ -j ACCEPT
-A FORWARD -i ppp+ -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1194 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 32768:61000 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 32768:61000 -j ACCEPT
squid.conf
#----------------------------------------------------------------
acl localnet src 10.9.0.0/24
acl office_hours time 00:00-24:00
#----------------------------------------------------------------
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
#----------------------------------------------------------------
acl Safe_ports port 21 # ftp
acl Safe_ports port 25 # smtp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
#----------------------------------------------------------------
http_port 10.9.0.1:3127 intercept
http_port 10.9.0.1:3128
#----------------------------------------------------------------
always_direct allow all
#----------------------------------------------------------------
acl adblock url_regex "/etc/squid/adblock.acl"
acl adblock-android dstdomain "/etc/squid/adblock-android.conf"
#acl goodsites dstdomain "/etc/squid/allowed-sites.conf"
#acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
#----------------------------------------------------------------
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localnet Safe_ports
#----------------------------------------------------------------
#http_access deny pptp badsites
#http_access allow pptp goodsites
#http_access deny pptp
http_access allow localnet CONNECT
http_access deny localnet adblock
http_access deny localnet adblock-android
http_access allow localnet office_hours
#----------------------------------------------------------------
http_access deny all
icp_access allow localnet
icp_access deny all
#----------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
#----------------------------------------------------------------
access_log stdio:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log
pid_filename /var/run/squid.pid
debug_options ALL,1
#----------------------------------------------------------------
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
acl apache rep_header Server ^Apache
#----------------------------------------------------------------
hosts_file /etc/hosts
coredump_dir /var/spool/squid
error_directory /usr/share/squid/errors/ru-ru
cache_dir ufs /var/spool/squid 100 16 256
shutdown_lifetime 5 seconds
ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=200s
fragmentation=yes
# left - local (server) side
left=%any
leftauth=pubkey
leftcert=vpn.crt
leftsendcert=always
leftsubnet=0.0.0.0/0
# right - remote (client) side
right=%any
rightauth=pubkey
rightsourceip=10.9.0.128/25
rightdns=77.88.8.88,8.8.8.8
conn ikev2-pubkey
keyexchange=ikev2
auto=add
conn ikev1
keyexchange=ikev1
rightauth2=xauth
auto=add
conn ikev2-eap-tls
also="ikev2-pubkey"
rightauth=eap-tls
eap_identity=%identity