<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>may be it makes sense to consider different interfaces? One for
public access, another one - for LAN access. <br>
</p>
<p>Take a look into
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN</a></p>
<p>You can use VTI configuration for LAN purposes, while having
separate interface (with masquerading) for public access.</p>
<p>Hope this'll help.<br>
</p>
<div class="moz-cite-prefix">On 15.06.2020 12:00, lejeczek wrote:<br>
</div>
<blockquote type="cite"
cite="mid:21204e3e-6c01-b693-7b5f-160a9cdc40b9@yahoo.co.uk">
<pre class="moz-quote-pre" wrap="">
On 15/06/2020 08:53, lejeczek wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
On 15/06/2020 07:16, Volodymyr Litovka wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi L.,
if you can ping server from client, then, in general, you
can ping everything from everywhere.
It is a question of routing and firewalls, e.g.
- NodeA@LAN should know, that ClientA@VPN resides behind
VPNSrv@LAN
- ClientA@VPN should allow access to his services from VPN
connection
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Could it be that my strongswan does not handle my case well?
My case is such that:
a) my server runs a client to a "public" VPN of which end I
know almost nothing - this part works well.
b) my server is also the server for my own VPN clients - and
here is where I cannot access those roadwarriors (but they
can ping server's LAN)
Here is when a roadwarrior connects okey and server show
this for table 220:
10.3.9.1 dev ipsec0 table 220 proto static src 10.3.1.101 (a
client connected to my server, pool for clients is
10.3.9.0/24 while server's LAN is 10.3.1.0/24)
172.16.0.0/12 dev ipsec0 table 220 proto static src
172.16.32.73 (server is client to a public VPN)
If I'm not asking too much then I wonder - is it the
strongswan not doing something or doing something wrong but
can be helped somehow? (config/plugin/hooks etc.)
Or it's exclusively OS firewall/routing which needs fixing
outside and independently of strongswan? (but then it would
sort of defeat the purpose of strongswan in my opinion)
ps. If I give clients the pool of "dhcp" so roadwarriors
land on the same server's LAN then 'ping' to roadwarriors
works, but erratically.
many thanks, L
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Okey, I think I know what is going on, but to resolve in a
way that "all" works will be a sticky wicket for me.
I put masquerading on ipsec0 interface for this one reason -
so some nodes on server's LAN have access to "public" VPN
network when Strongswan is "client" to a public VPN - this
mangles "something" in such a way that Strongswan's own LAN
cannot ping/get to Strongswan's own roadwarriors.
I'll keep fiddling with firewall as I hope there is a
resolution to my case but in the meanwhile if anybody has
any ideas and suggestions - I'll be grateful.
many thanks, L.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 14.06.2020 23:02, lejeczek wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi guys,
I have a strongswan serving clients and all seem to flow
nicely from roadwarriors to server's LAN.
I wonder now, before I'd go into configs and settings, how
to make roadworriors accessible from server's LAN.
Is this sever-client issues or something completely
independent and falls into OS's realm of networking, would
you know?
many thanks, L.
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>