[strongSwan] Can't reach StrongSwan fronted subnet from client
Brandon Gavino
bgavino at asu.edu
Thu Nov 1 16:44:22 CET 2012
Boy, do I feel silly. I forgot to enable net.ipv4.ip_forward . I'm still
seeing packets sent over eth0, however, but at least I'm also seeing ICMP
request/replies over eth1.
Anyone know how I can stop the packets being sent over eth0? If not no big
deal I guess.
Thanks all.
----------------------
Brandon Gavino
(623) 297 - 4097
On Wed, Oct 31, 2012 at 3:29 PM, Brandon Gavino <bgavino at asu.edu> wrote:
> Hi,
>
> I've been trying for the past few days to figure out this issue, it is
> driving me mad!
>
> I'm able to ping the StrongSwan internal IP address just fine from the
> client, however, pings go unanswered to the clients on the subnet fronted
> by the VPN server.
>
> Interestingly, the pings are visible on the WAN interface (eth0) via
> Wireshark, but are not passed through the internal interface (eth1). Config
> is below; let me know if you need more information. What am I doing wrong??
>
> Thank you in advance,
> Brandon
>
> Here's my config:
>
> ipsec.conf
> --
> config setup
> #for ikev2
> #plutostart=no
> #plutodebug="all"
> charondebug="dmn 4, mgr 4, ike 2, chd 4, job 4, cfg 3, knl 4, net 2,
> enc 1, lib 4"
> #charonstart=no
> #nat_traversal=yes
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
>
> conn ikev1_psk
> left=192.168.10.196
> leftsubnet=192.168.20.0/24
> leftsourceip=192.168.20.246
> right=%any
> rightsourceip=192.168.20.50/24
> leftfirewall=yes
> lefthostaccess=yes
> rightauth=psk
> leftauth=psk
> rightauth2=xauth
> auto=add
>
> strongswan.conf
> --
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
> # number of worker threads in charon
> threads = 16
>
> # send strongswan vendor ID?
> # send_vendor_id = yes
>
> #Allow ikeV1 PSK aggressive
> i_dont_care_about_security_and_use_aggressive_mode_psk = yes
>
> plugins {
>
> #sql {
> # loglevel to log into sql database
> #loglevel = -1
>
> # URI to the database
> # database = sqlite:///path/to/file.db
> # database = mysql://user:password@localhost/database
> #}
> }
>
> # ...
> }
>
> pluto {
>
> }
>
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> }
>
> iptables -L -v
> --
> Chain INPUT (policy ACCEPT 425 packets, 29037 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth0 any 192.168.20.51
> 192.168.20.0/24 policy match dir in pol ipsec reqid 1 proto esp
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth0 any 192.168.20.51
> 192.168.20.0/24 policy match dir in pol ipsec reqid 1 proto esp
> 0 0 ACCEPT all -- any eth0 192.168.20.0/24
> 192.168.20.51 policy match dir out pol ipsec reqid 1 proto esp
>
> Chain OUTPUT (policy ACCEPT 600 packets, 426K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- any eth0 192.168.20.0/24
> 192.168.20.51 policy match dir out pol ipsec reqid 1 proto esp
>
> iptables -t nat -L -v
> --
> Chain PREROUTING (policy ACCEPT 1804 packets, 178K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 257 packets, 52969 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 46 packets, 4187 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 39 packets, 3701 bytes)
> pkts bytes target prot opt in out source
> destination
> 121 11302 MASQUERADE all -- any eth1 192.168.20.0/24
> anywhere
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121101/e6b397cc/attachment.html>
More information about the Users
mailing list