<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Robert,<div class=""><br class=""></div><div class="">Make sure you have ip_forward turned on</div><div class=""><pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><span style="background-color:#e7ffb3;" class="">net.ipv4.ip_forward = 1<br class=""></span></pre><div class=""><br class=""></div><div class="">and masquarade the IP address</div></div><div class=""><pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><span style="background-color:#e7ffb3;" class="">/sbin/iptables -t nat -D POSTROUTING -o </span><span style="font-size: 9pt;" class="">enp3s0</span><span style="background-color: rgb(231, 255, 179); font-size: 9pt;" class=""> -j MASQUERADE</span></pre><div class="">then you need to make sure that anything that goes down the internal interface, comes back that way..</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">See if you can make sense of the following which is my config. eth0 is public facing, eth1 is internal facing</div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><pre style="font-family: Menlo; font-size: 9pt;" class="">cat <span style="color:#5a5a5a;font-style:italic;" class=""><<</span><span style="color:#000080;font-weight:bold;" class="">EOF </span><span style="color:#5a5a5a;font-style:italic;" class="">>> /etc/network/interfaces.d/50-cloud-init.cfg<br class=""></span><span style="background-color:#e7ffb3;" class="">auto eth0<br class=""></span><span style="background-color:#e7ffb3;" class="">iface eth0 inet dhcp<br class=""></span><span style="background-color:#e7ffb3;" class=""> <br class=""></span><span style="background-color:#e7ffb3;" class="">auto eth1<br class=""></span><span style="background-color:#e7ffb3;" class="">iface eth1 inet dhcp<br class=""></span><span style="background-color:#e7ffb3;" class=""> metric 100<br class=""></span><span style="color:#000080;font-weight:bold;" class="">EOF<br class=""></span>ifup eth1</pre></pre><pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><br class="">SN1=<span style="color:#008000;font-weight:bold;" class="">"$(ip r | awk '/eth1/ { print $1 }' | tail -n 1)" </span><span style="color:#808080;font-style:italic;" class=""># internal subnet<br class=""></span>IP1=<span style="color:#008000;font-weight:bold;" class="">"$(ip r | awk '/eth1/ { print $NF }' | tail -n 1)" </span><span style="color:#808080;font-style:italic;" class=""># internal ip<br class=""></span>GW1=<span style="color:#008000;font-weight:bold;" class="">"$(echo ${SN1} | cut -d'/' -f1 | cut -d'.' -f1-3).1" </span><span style="color:#808080;font-style:italic;" class=""># internal gateway<br class=""></span><span style="color:#808080;font-style:italic;" class=""><br class=""></span><span style="color:#0b0c95;" class="">echo </span><span style="color:#0000ff;" class="">200 </span>eth1 <span style="color:#5a5a5a;font-style:italic;" class="">>> /etc/iproute2/rt_tables<br class=""></span><span style="color:#5a5a5a;font-style:italic;" class=""><br class=""></span>cat <span style="color:#5a5a5a;font-style:italic;" class=""><<</span><span style="color:#000080;font-weight:bold;" class="">EOF </span><span style="color:#5a5a5a;font-style:italic;" class="">>> /etc/network/interfaces.d/50-cloud-init.cfg<br class=""></span><span style="background-color:#e7ffb3;" class=""> post-up /sbin/ip rule add from </span><span style="color:#000080;font-weight:bold;" class="">$</span>{IP1}<span style="background-color:#e7ffb3;" class=""> table eth1<br class=""></span><span style="background-color:#e7ffb3;" class=""> pre-down /sbin/ip rule delete from </span><span style="color:#000080;font-weight:bold;" class="">$</span>{IP1}<span style="background-color:#e7ffb3;" class=""> table eth1<br class=""></span><span style="background-color:#e7ffb3;" class=""> post-up /sbin/ip route add default via </span><span style="color:#000080;font-weight:bold;" class="">$</span>{GW1}<span style="background-color:#e7ffb3;" class=""> table eth1<br class=""></span><span style="background-color:#e7ffb3;" class=""> pre-down /sbin/ip route delete default via </span><span style="color:#000080;font-weight:bold;" class="">$</span>{GW1}<span style="background-color:#e7ffb3;" class=""> table eth1<br class=""></span><span style="background-color:#e7ffb3;" class=""> post-up /sbin/ip route add </span><span style="color:#000080;font-weight:bold;" class="">$</span>{REMOTECIDR}<span style="background-color:#e7ffb3;" class=""> via </span><span style="color:#000080;font-weight:bold;" class="">$</span>{GW1}<span style="background-color:#e7ffb3;" class=""><br class=""></span><span style="background-color:#e7ffb3;" class=""> pre-down /sbin/ip route delete </span><span style="color:#000080;font-weight:bold;" class="">$</span>{REMOTECIDR}<span style="background-color:#e7ffb3;" class=""> via </span><span style="color:#000080;font-weight:bold;" class="">$</span>{GW1}<span style="background-color:#e7ffb3;" class=""><br class=""></span><span style="background-color:#e7ffb3;" class=""> post-up /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE<br class=""></span><span style="background-color:#e7ffb3;" class=""> pre-down /sbin/iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE<br class=""></span><span style="color:#000080;font-weight:bold;" class="">EOF<br class=""></span>ifdown eth1; ifup eth1<br class=""><br class="">cat <span style="color:#5a5a5a;font-style:italic;" class=""><<</span><span style="color:#000080;font-weight:bold;" class="">EOF </span><span style="color:#5a5a5a;font-style:italic;" class="">> /etc/sysctl.d/60-strongswan.conf<br class=""></span><span style="background-color:#e7ffb3;" class="">net.ipv4.ip_forward = 1<br class=""></span><span style="color:#000080;font-weight:bold;" class="">EOF<br class=""></span>sysctl -p /etc/sysctl.d/60-strongswan.conf<br class=""></pre><div class=""><br class=""></div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Kind regards,<br class=""><br class=""><b style="color: rgb(0, 0, 0);" class="">Christian Salway</b><br class="">IT Consultant - <b class=""><font color="#f05a28" class="">Naimuri</font></b><br class=""><br class=""><font color="#919191" class="">T: +44 7463 331432<br class="">E: <a href="mailto:christian.salway@naimuri.com" class="">christian.salway@naimuri.com</a><br class="">A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW</font></div></div></div></div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 20 Aug 2018, at 22:23, Robert Green <<a href="mailto:robert.green@wegolook.com" class="">robert.green@wegolook.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hello All,<div class=""><br class=""></div><div class="">I may be doing something that isn't going to work easily. I am trying to setup strongswan on a separate system than is on my firewall/router. This separate system is also directly connected to the public internet. This is to support a road warrior setup.</div><div class=""><br class=""></div><div class="">I currently have the windows 10 client connecting via certificates. However when I connect the client I can not get traffic beyond the VPN box. I can ping the internal interface but I can not ping into the network or external clients.</div><div class=""><br class=""></div><div class="">I see the routes in the table 220 but they don't look right to me. I do have the firewall rules turned on the config and those look to be populating correctly.</div><div class=""><br class=""></div><div class="">/etc/ipsec.conf</div><div class=""> config setup<div class=""> # strictcrlpolicy=yes</div><div class=""> # uniqueids = no</div><div class=""> charondebug="cfg 2, dmn 2, ike 2, net 2"</div><div class=""><br class=""></div><div class=""><div class="">conn remote-users</div><div class=""> fragmentation=yes</div><div class=""> ike=aes256-sha1-modp1024,3des-<wbr class="">sha1-modp1024!<br class=""></div><div class=""> esp=aes256-sha1,3des-sha1!</div><div class=""> left=%any</div><div class=""> #leftsubnet=<a href="http://0.0.0.0/0" target="_blank" class="">0.0.0.0/0</a></div><div class=""> leftsubnet=<a href="http://192.168.0.0/16" target="_blank" class="">192.168.0.0/16</a></div><div class=""> leftcert=server_cert.pem</div><div class=""> leftfirewall=yes</div><div class=""> right=%any</div><div class=""> rightdns=1.1.1.1, 8.8.8.8</div><div class=""> rightsourceip=192.168.18.2-<wbr class="">192.168.18.254</div><div class=""> keyexchange=ikev2</div><div class=""> #auto=add</div><div class=""> auto=route</div></div><div class=""><br class=""></div><div class="">ip route show table 220</div><div class=""><br class=""></div><div class="">192.168.18.2 via 12.12.12.1 dev enp0s25 proto static src 192.168.1.198<br class=""></div><div class=""><br class=""></div><div class="">My interfaces are:</div><div class="">enp0s25 -> 12.12.12.1 (public interface)</div><div class="">enp3s0 -> 192.168.1.198 (internal interface)</div><div class=""><br class=""></div><div class="">Primary gateway 192.168.0.1 (netmask /23)</div><div class=""><br class=""></div><div class="">This all has been sanitized. I have been beating my head against the wall on this one. I know this is a routing issue but not sure how to properly fix it.</div><div class=""><br class=""></div><div class="">Thank you,</div>-- <br class=""><div class="m_6660074428583724181gmail-m_3376518069608788131gmail_signature"><div dir="ltr" class="">Robert Green<div class=""><br class=""></div></div></div>
</div></div>
</div></blockquote></div><br class=""></div></body></html>