[strongSwan] Can't reach StrongSwan fronted subnet from client

Brandon Gavino bgavino at asu.edu
Thu Nov 1 16:44:22 CET 2012


Boy, do I feel silly. I forgot to enable net.ipv4.ip_forward . I'm still
seeing packets sent over eth0, however, but at least I'm also seeing ICMP
request/replies over eth1.

Anyone know how I can stop the packets being sent over eth0? If not no big
deal I guess.

Thanks all.

----------------------
Brandon Gavino
(623) 297 - 4097


On Wed, Oct 31, 2012 at 3:29 PM, Brandon Gavino <bgavino at asu.edu> wrote:

> Hi,
>
> I've been trying for the past few days to figure out this issue, it is
> driving me mad!
>
> I'm able to ping the StrongSwan internal IP address just fine from the
> client, however, pings go unanswered to the clients on the subnet fronted
> by the VPN server.
>
> Interestingly, the pings are visible on the WAN interface (eth0) via
> Wireshark, but are not passed through the internal interface (eth1). Config
> is below; let me know if you need more information. What am I doing wrong??
>
> Thank you in advance,
> Brandon
>
>  Here's my config:
>
> ipsec.conf
> --
> config setup
>      #for ikev2
>      #plutostart=no
>      #plutodebug="all"
>      charondebug="dmn 4, mgr 4, ike 2, chd 4, job 4, cfg 3, knl 4, net 2,
> enc 1, lib 4"
>      #charonstart=no
>      #nat_traversal=yes
>
> conn %default
>      ikelifetime=60m
>      keylife=20m
>      rekeymargin=3m
>      keyingtries=1
>
> conn ikev1_psk
>      left=192.168.10.196
>      leftsubnet=192.168.20.0/24
>      leftsourceip=192.168.20.246
>      right=%any
>      rightsourceip=192.168.20.50/24
>      leftfirewall=yes
>      lefthostaccess=yes
>      rightauth=psk
>      leftauth=psk
>      rightauth2=xauth
>      auto=add
>
> strongswan.conf
> --
> # strongswan.conf - strongSwan configuration file
>
> charon {
>
>     # number of worker threads in charon
>     threads = 16
>
>     # send strongswan vendor ID?
>     # send_vendor_id = yes
>
>     #Allow ikeV1 PSK aggressive
>     i_dont_care_about_security_and_use_aggressive_mode_psk = yes
>
>     plugins {
>
>         #sql {
>             # loglevel to log into sql database
>             #loglevel = -1
>
>             # URI to the database
>             # database = sqlite:///path/to/file.db
>             # database = mysql://user:password@localhost/database
>         #}
>     }
>
>     # ...
> }
>
> pluto {
>
> }
>
> libstrongswan {
>
>     #  set to no, the DH exponent size is optimized
>     #  dh_exponent_ansi_x9_42 = no
> }
>
> iptables -L -v
> --
> Chain INPUT (policy ACCEPT 425 packets, 29037 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  eth0   any     192.168.20.51
> 192.168.20.0/24     policy match dir in pol ipsec reqid 1 proto esp
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  eth0   any     192.168.20.51
> 192.168.20.0/24     policy match dir in pol ipsec reqid 1 proto esp
>     0     0 ACCEPT     all  --  any    eth0    192.168.20.0/24
> 192.168.20.51       policy match dir out pol ipsec reqid 1 proto esp
>
> Chain OUTPUT (policy ACCEPT 600 packets, 426K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  any    eth0    192.168.20.0/24
> 192.168.20.51       policy match dir out pol ipsec reqid 1 proto esp
>
> iptables -t nat -L -v
> --
> Chain PREROUTING (policy ACCEPT 1804 packets, 178K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain INPUT (policy ACCEPT 257 packets, 52969 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 46 packets, 4187 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 39 packets, 3701 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   121 11302 MASQUERADE  all  --  any    eth1    192.168.20.0/24
> anywhere
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121101/e6b397cc/attachment.html>


More information about the Users mailing list