<div dir="ltr"><div>I have now managed to get it working (was just a silly mistake on the left subnet for csvnetkp (I used a /24 instead of a /16). </div><div> </div><div>I can now get successful pings between nodes which is awesome!</div>
<div> </div><div>However, it all looked great until I tried to actually communicate between spokes.. I seem to be able to do pings and make connections to ports but when I try to put some traffic across the VPN I get problems. i.e. I can successfully telnet to ports but actually doing any meaningful communication seems to fail.</div>
<div> </div><div>My two spokes are Windows machines and I've tried creating an RDP connection between them which accepts the connection, asks for credentials, starts connecting and then hangs for a while. Finally it fails. It seems like the initial connection can be made but very soon after the connection hangs.</div>
<div> </div><div>Doing DNS lookups between spokes on the VPN however works fine (I think because they are brief)</div><div> </div><div>I can connect to an FTP server and do a directory listing but as soon as I try and transfer a file it hangs and then fails.</div>
<div> </div><div>Any ideas what can cause this connection hanging? </div><div> </div><div>Many Thanks,</div><div> </div><div>Kevin</div><div> </div><div> </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Fri, Aug 30, 2013 at 11:56 AM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello,<br>
<br>
I don't think using rightsubnet is correct in this case, as it only applies to networks that are physically attached to the remote host.<br>
You can however, customize the _updown script to set routes to the remote subnets that go through the VPN responder.<br>
The _updown script is in /lib/strongswan/. You should create a copy of it and adjust up-host, down-host, up-client and/or down-client.<br>
Read the comments on the cases in the switch case of the script to determine what needs to be adjusted.<br>
I don't know if it will work, as I don't know if strongSwan will reject the traffic to subnets that are not physically attached to it.<br>
<br>
Regards,<br>
Noel Kuntze<br>
<div class="im"><br>
On 30.08.2013 12:21, Kevin Palmer wrote:<br>
> Hi Andy,<br>
><br>
> The routing on the 10.4.0.0 spoke is configured that any communication to the following subnets<br>
</div>> <a href="http://10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16" target="_blank">10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16</a> <<a href="http://10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16" target="_blank">http://10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16</a>> will be routed to the Strongswan VPN gateway public IP (I've yet to setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)<br>
><br>
> When I try to connect to an address in the <a href="http://10.6.0.0/16" target="_blank">10.6.0.0/16</a> <<a href="http://10.6.0.0/16" target="_blank">http://10.6.0.0/16</a>> subnet it should be routed through to the hub and then back out to the other spoke but currently it fails.<br>
<div class="im">> Connections to 172.16.0.1 are made successfully.<br>
><br>
> The routing on the 10.6.0.0 spoke is configured that any communication to the following subnets<br>
</div>> <a href="http://10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16" target="_blank">10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16</a> <<a href="http://10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16" target="_blank">http://10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16</a>> will be routed to the Strongswan VPN gateway public IP (I've yet to setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)<br>
><br>
> When I try to connect to an address in the <a href="http://10.4.0.0/16" target="_blank">10.4.0.0/16</a> <<a href="http://10.4.0.0/16" target="_blank">http://10.4.0.0/16</a>> subnet it should be routed through to the hub and then back out to the other spoke but currently it fails.<br>
<div class="im">> Connections to 172.16.0.1 are made successfully.<br>
><br>
> Many Thanks,<br>
><br>
> Kevin<br>
><br>
><br>
</div><div class="im">> On Fri, Aug 30, 2013 at 10:59 AM, Paton, Andy <<a href="mailto:andy.paton@hp.com">andy.paton@hp.com</a> <mailto:<a href="mailto:andy.paton@hp.com">andy.paton@hp.com</a>>> wrote:<br>
><br>
> What is your routing setup on the spokes?<br>
><br>
><br>
><br>
> Regards,<br>
><br>
><br>
><br>
</div>> *Andy Paton - *Bsc. (Hons), MBCS*<br>
> *Innovation Engineer<br>
><br>
> <a href="mailto:andy.paton@hp.com">andy.paton@hp.com</a> <mailto:<a href="mailto:andy.paton@hp.com">andy.paton@hp.com</a>><br>
><br>
><br>
> HP <<a href="http://www.hp.com/" target="_blank">http://www.hp.com/</a>><br>
><br>
><br>
><br>
> *From:*users-bounces+andy.paton=<a href="mailto:hp.com@lists.strongswan.org">hp.com@lists.strongswan.org</a> <mailto:<a href="mailto:hp.com@lists.strongswan.org">hp.com@lists.strongswan.org</a>> [mailto:<a href="mailto:users-bounces%2Bandy.paton">users-bounces+andy.paton</a> <mailto:<a href="mailto:users-bounces%252Bandy.paton">users-bounces%2Bandy.paton</a>>=<a href="mailto:hp.com@lists.strongswan.org">hp.com@lists.strongswan.org</a> <mailto:<a href="mailto:hp.com@lists.strongswan.org">hp.com@lists.strongswan.org</a>>] *On Behalf Of *Kevin Palmer<br>
> *Sent:* 30 August 2013 10:32<br>
> *To:* <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a> <mailto:<a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>><br>
> *Subject:* [strongSwan] Strongswan as a VPN Hub with a single network adapter<br>
<div class="im">><br>
><br>
><br>
> Hi,<br>
><br>
><br>
><br>
> I have just been using Strongswan for the first time and firstly I’d like to say how impressed I was in how easy it was to setup the VPN tunnels. I got my two tunnels working within about 20 minutes of installing Strongswan.<br>
><br>
><br>
><br>
> I have got a hub and two spokes and once the two tunnels were established I can successfully communicate between the spokes and the hub.<br>
><br>
><br>
><br>
> The problem I’ve got however is that each ‘Spoke’ of the VPN cannot contact other spokes in the VPN.<br>
><br>
><br>
><br>
> My first thought that this was that IPv4 Forwarding needs to be enabled however enabling IPv4 Forwarding did not solve the problem.<br>
><br>
><br>
><br>
</div>> I’ve also tried adding each spoke subnet as ‘Left’ subnets in the other connections in ipsec.conf but Strongswan reports “no local address found in traffic selector <a href="http://10.6.0.0/24" target="_blank">10.6.0.0/24</a> <<a href="http://10.6.0.0/24" target="_blank">http://10.6.0.0/24</a>>” as that subnet is not allocated to my adapter.<br>
<div class="im">><br>
><br>
><br>
> The other points to note is that my machine has only one network adapter which is connected to the internet so to get a local subnet I added a second IP address to the adapter (eth0:0)<br>
><br>
><br>
><br>
> Does anyone have any suggestions on what I should try text?<br>
><br>
><br>
><br>
> Configuration below…<br>
><br>
><br>
><br>
> Thanks,<br>
><br>
><br>
><br>
> Kevin<br>
><br>
><br>
><br>
</div>> *Interfaces*<br>
><br>
> /auto eth0/<br>
><br>
> /iface eth0 inet static/<br>
><br>
> / address xxx.xxx.xxx.xxx/<br>
><br>
> / gateway zzz.zzz.zzz.zzz/<br>
><br>
> / netmask <a href="http://255.255.252.0/" target="_blank">255.255.252.0/</a><br>
><br>
> / /<br>
><br>
> /auto lo/<br>
><br>
> /iface lo inet loopback/<br>
><br>
> / /<br>
><br>
> /auto eth0:0/<br>
><br>
> /iface eth0:0 inet static/<br>
><br>
> / address <a href="http://172.16.0.1/" target="_blank">172.16.0.1/</a><br>
><br>
> / netmask <a href="http://255.255.0.0/" target="_blank">255.255.0.0/</a><br>
><br>
><br>
><br>
> *ipsec.conf*<br>
><br>
><br>
><br>
> /# ipsec.conf - strongSwan IPsec configuration file/<br>
><br>
> / /<br>
><br>
> /# basic configuration/<br>
><br>
> / /<br>
><br>
> /config setup/<br>
><br>
> / # plutodebug=all/<br>
><br>
> / # crlcheckinterval=600/<br>
><br>
> / # strictcrlpolicy=yes/<br>
><br>
> / # cachecrls=yes/<br>
><br>
> / nat_traversal=yes/<br>
><br>
> / charonstart=yes/<br>
><br>
> / plutostart=yes/<br>
><br>
> / /<br>
><br>
> /# Add connections here./<br>
><br>
> / /<br>
><br>
> /conn %default/<br>
><br>
> / ikelifetime=60m/<br>
><br>
> / keylife=20m/<br>
><br>
> / rekeymargin=3m/<br>
><br>
> / keyingtries=1/<br>
><br>
> / keyexchange=ikev2/<br>
><br>
> / authby=secret/<br>
><br>
> / mobike=yes/<br>
><br>
> / /<br>
><br>
> /# CSVNETKP Connection/<br>
><br>
> / /<br>
><br>
> /conn csvnetkp/<br>
><br>
> / left=%any/<br>
><br>
> / leftsubnet=<a href="http://172.16.0.0/24,10.6.0.0/24" target="_blank">172.16.0.0/24,10.6.0.0/24</a> <<a href="http://172.16.0.0/24,10.6.0.0/24" target="_blank">http://172.16.0.0/24,10.6.0.0/24</a>>/<br>
><br>
> / leftid=@csvpn.local <mailto:<a href="mailto:leftid">leftid</a>=@csvpn.local>/<br>
><br>
> / right=aaa.aaa.aaa.aaa/<br>
><br>
> / rightsubnet=<a href="http://10.4.0.0/16" target="_blank">10.4.0.0/16</a> <<a href="http://10.4.0.0/16" target="_blank">http://10.4.0.0/16</a>>/<br>
><br>
> / auto=route/<br>
><br>
> / esp=aes256/<br>
><br>
> / /<br>
><br>
> / /<br>
><br>
> /conn csvnetmsdn2/<br>
><br>
> / left=%any/<br>
><br>
> / leftsubnet=<a href="http://172.16.0.0/24,10.4.0.0/16" target="_blank">172.16.0.0/24,10.4.0.0/16</a> <<a href="http://172.16.0.0/24,10.4.0.0/16" target="_blank">http://172.16.0.0/24,10.4.0.0/16</a>>/<br>
><br>
> / leftid=@csvpn.cirrasoft.local <mailto:<a href="mailto:leftid">leftid</a>=@csvpn.cirrasoft.local>/<br>
><br>
> / right=bbb.bbb.bbb.bbb/<br>
><br>
> / rightsubnet=<a href="http://10.6.0.0/16" target="_blank">10.6.0.0/16</a> <<a href="http://10.6.0.0/16" target="_blank">http://10.6.0.0/16</a>>/<br>
><br>
> / auto=route/<br>
><br>
> / esp=aes256/<br>
><br>
> / /<br>
<div class="im">><br>
><br>
><br>
><br>
><br>
> Where<br>
><br>
> xxx.xxx.xxx.xxx is my Public facing address<br>
><br>
> zzz.zzz.zzz.zzz is my ISP gateway<br>
><br>
</div>> aaa.aaa.aaa.aaa is the Gateway of ‘spoke’ Subnet <a href="http://10.4.0.0/16" target="_blank">10.4.0.0/16</a> <<a href="http://10.4.0.0/16" target="_blank">http://10.4.0.0/16</a>><br>
><br>
> bbb.bbb.bbb.bbb is the Gateway of ‘spoke’ Subnet <a href="http://10.6.0.0/16" target="_blank">10.6.0.0/16</a> <<a href="http://10.6.0.0/16" target="_blank">http://10.6.0.0/16</a>><br>
<div class="im">><br>
><br>
><br>
> And I have my PSK’s in the secrets file mapped to the two gateways.<br>
><br>
><br>
><br>
> If anyone can help this would be much appreciated..<br>
><br>
><br>
><br>
> I'm sure I am almost there but... not quite!<br>
><br>
><br>
><br>
> Many Thanks,<br>
><br>
><br>
><br>
> Kevin<br>
><br>
><br>
><br>
><br>
</div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.21 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBCAAGBQJSIHpdAAoJEDg5KY9j7GZYmIwP/jDjxgfUQLC7rzqsXwBuBg2Y<br>
NNxGl4KQovc5QtYKOhl/mEo1jkYphllMJ+Dz7JotK24c06dXY5LIcx9aCWic/PoC<br>
JcOz1W5Nek+kXdhu5UhS3O3NctBNnykU5gu2VcvnGZr+ZVZsOnkxi0VbMwvO2tz1<br>
oU08hN0Gvk++w3h+/KxUFJhViruOE72BxfJJosnshO00V7aycuvCKkko8BAPGjGK<br>
fA75xc84a3bmdAK6C7N+YMArNvTTcO4nNRzAu8V1lxof65VE+6FYxLK/BnUCA2N9<br>
u16kpjec3UszL6qQnUcdLb4gyFrFxBXQS5suxq73sRUPVxx4AxIX6BEtDPyCfzWx<br>
Lm9MgK8gvHAv1PqzdwpESxQc6WYgyzFc/XXSY4WlnYjMe39mb3RkiARfFrKys7wX<br>
a2KWxiM7E8eWkI2hSbT72Jrfiou35TjwlKxfqTRIqVcbkRtj+2dJ5O39NJr7m0iq<br>
eU7kzLgKG4QU+WFIfBhxMZf8+LMzn6i+uxCPTZDkX+ZEnrhW6LSkBEut+uN7uRaw<br>
90E7QzjAtegMmHoDXwpDC4Z0OBdxQFUt9gDw2Eg3ifcg67HqBYzy2t1I7IG2MfQ6<br>
UYh2oulFzYykw7YuqTcyW7IPK9o1YRzpk8uUzLgt/frH9RpO2NH37ehfhbbmF2Oo<br>
abay+2MZYzmclRq95KOP<br>
=SOKu<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>