[strongSwan] Unable to send traffic inside once connected

Corey Garst cgarst at tresys.com
Thu Apr 4 19:29:03 CEST 2013


Hello,

I am configuring strongswan on Ubuntu 12.04.1 and at the point where I can authenticate, but cannot send traffic through the VPN gateway. Interestingly, when my client device connects (Android phone with Strongswan app), I stop being able to communicate between the inside interface of the VPN and nodes inside the network entirely (until I end the connection from the phone). Any ideas?

Thank you,
-Corey

This is my ipsec conf, strongswan.conf, and iptables:

######################################################################
# ipsec.conf - strongSwan IPsec configuration file

config setup
        nat_traversal=yes
        charonstart=yes
         plutostart=no

include /var/lib/strongswan/ipsec.conf.inc

conn crada
        keyexchange=ikev2
        left=%defaultroute
        leftsubnet=10.1.0.0/20
        leftcert=serverCert.pem
        leftfirewall=yes
        right=%any
        rightsubnet=192.168.66.0/24
        rightsourceip=192.168.66.10
        rightcert=clientCert.pem
        auto=add
######################################################################
# strongswan.conf - strongSwan configuration file

charon {

        # number of worker threads in charon
        threads = 16

        # send strongswan vendor ID?
        # send_vendor_id = yes

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost/database
                }
        }

        # ...
}

pluto {

}

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
}

######################################################################
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:isakmp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:4500
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:4500

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.66.0/24      10.1.0.0/20          policy match dir in pol ipsec reqid 3 proto esp
ACCEPT     all  --  10.1.0.0/20          192.168.66.0/24      policy match dir out pol ipsec reqid 3 proto esp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

######################################################################




More information about the Users mailing list