[strongSwan] Can't reach StrongSwan fronted subnet from client

Brandon Gavino bgavino at asu.edu
Wed Oct 31 23:29:04 CET 2012 

Hi,

I've been trying for the past few days to figure out this issue, it is
driving me mad!

I'm able to ping the StrongSwan internal IP address just fine from the
client, however, pings go unanswered to the clients on the subnet fronted
by the VPN server.

Interestingly, the pings are visible on the WAN interface (eth0) via
Wireshark, but are not passed through the internal interface (eth1). Config
is below; let me know if you need more information. What am I doing wrong??

Thank you in advance,
Brandon

 Here's my config:

ipsec.conf
--
config setup
     #for ikev2
     #plutostart=no
     #plutodebug="all"
     charondebug="dmn 4, mgr 4, ike 2, chd 4, job 4, cfg 3, knl 4, net 2,
enc 1, lib 4"
     #charonstart=no
     #nat_traversal=yes

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1

conn ikev1_psk
     left=192.168.10.196
     leftsubnet=192.168.20.0/24
     leftsourceip=192.168.20.246
     right=%any
     rightsourceip=192.168.20.50/24
     leftfirewall=yes
     lefthostaccess=yes
     rightauth=psk
     leftauth=psk
     rightauth2=xauth
     auto=add

strongswan.conf
--
# strongswan.conf - strongSwan configuration file

charon {

    # number of worker threads in charon
    threads = 16

    # send strongswan vendor ID?
    # send_vendor_id = yes

    #Allow ikeV1 PSK aggressive
    i_dont_care_about_security_and_use_aggressive_mode_psk = yes

    plugins {

        #sql {
            # loglevel to log into sql database
            #loglevel = -1

            # URI to the database
            # database = sqlite:///path/to/file.db
            # database = mysql://user:password@localhost/database
        #}
    }

    # ...
}

pluto {

}

libstrongswan {

    #  set to no, the DH exponent size is optimized
    #  dh_exponent_ansi_x9_42 = no
}

iptables -L -v
--
Chain INPUT (policy ACCEPT 425 packets, 29037 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  eth0   any     192.168.20.51
192.168.20.0/24     policy match dir in pol ipsec reqid 1 proto esp

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  eth0   any     192.168.20.51
192.168.20.0/24     policy match dir in pol ipsec reqid 1 proto esp
    0     0 ACCEPT     all  --  any    eth0    192.168.20.0/24
192.168.20.51       policy match dir out pol ipsec reqid 1 proto esp

Chain OUTPUT (policy ACCEPT 600 packets, 426K bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  any    eth0    192.168.20.0/24
192.168.20.51       policy match dir out pol ipsec reqid 1 proto esp

iptables -t nat -L -v
--
Chain PREROUTING (policy ACCEPT 1804 packets, 178K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 257 packets, 52969 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 46 packets, 4187 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 39 packets, 3701 bytes)
 pkts bytes target     prot opt in     out     source
destination
  121 11302 MASQUERADE  all  --  any    eth1    192.168.20.0/24
anywhere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121031/1f36739a/attachment.html>

More information about the Users mailing list