[strongSwan] Connection works, but no access to network

Gregg Hughes ghughes at iscinternational.com
Tue Jul 30 18:50:47 CEST 2013 

Good morning, all!

 

I'm working on some bits of configuration for a production VPN.  I have a
successful EAP-MSCHAPV2 connection from a test virtual server to my
Strongswan vpn server.  However, I cannot access the network behind the VPN
server.  I have enabled IP forwarding on the server.  My test client still
shows traceroute ending at the VPN server.

 

Here is the traceroute:

C:\Users\Gregg Hughes>tracert 192.168.1.101

 

Tracing route to 192.168.1.101 over a maximum of 30 hops

 

  1   156 ms   200 ms    34 ms  192.168.1.102

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5     *        *        *     Request timed out.

  6     *        *        *     Request timed out.

  7     *        *        *     Request timed out.

  8     *        *     ^C

 

This VPN server has one virtual interface, 192.168.1.102.  It will be opened
up via static NAT to the outside world.  The internal networks are on the
same IP segment as the VPN server or accessible from that network.  The host
firewall is disabled for testing.

 

/etc/network/interfaces:

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

 

# The loopback network interface

auto lo

iface lo inet loopback

 

# The primary network interface

auto eth0

iface eth0 inet static

address 192.168.1.102

netmask 255.255.255.0

gateway 192.168.1.1

network 192.168.1.0

broadcast 192.168.1.255

dns-search XXXX.com

dns-nameservers XXX.XXX.XXX.XXX

 

and ipsec.conf

config setup

                # plutodebug=all

                crlcheckinterval=180

                strictcrlpolicy=no

                # cachecrls=yes

                # nat_traversal=yes

                charonstart=yes

                plutostart=no

 

# Add connections here.

 

conn %default

                ikelifetime=60m

                keylife=20m

                rekeymargin=3m

                keyingtries=1

                keyexchange=ikev2

 

conn net-net

                left=192.168.1.102

                leftsubnet=192.168.0.0/16

                leftid=@vpn1

                leftfirewall=yes

                right=67.53.158.25

                rightsubnet=192.168.0.0/16

                rightid=@vpn2

                auto=add

 

conn rw-eap-bluemound

                left=192.168.1.102

                # leftsourceip=%config

                leftsubnet=192.168.0.0/16

                leftid=@vpn1

                leftcert=vpn1cert.pem

                leftauth=pubkey

                leftfirewall=yes

                lefthostaccess = yes

                right=%any

                rightauth=eap-mschapv2

                rightsendcert=never

                rightsourceip=192.168.200.161/28

                eap_identity=%any

                auto=add

 

The lefthostaccess parameter was added today, with no change in behavior, as
were changes in the leftsourceip directive.  The rightsourceip range is
good, with no address conflicts.  The test client has no problem with the
assigned address.

 

I added another interface to see if there was any issue there, again, with
no change in behavior.  I also researched ip route on the server, and
haven't found the answer there.

 

I'm pretty sure there's something easy here, but I must be overlooking it.

 

Many thanks for looking at this and any hints as to where to look to correct
the problem.

 

 

Gregg

 


Gregg Hughes

IT Administrator

www.iscinternational.com

414.721.0301 phone

262.313.3106 fax

 

	

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130730/472adbd2/attachment.html>

More information about the Users mailing list