[strongSwan] Peer to peer apps among clients

[Mark Lewis]

I have a fairly typical client/server IPSec/XAuth VPN configured.  It works
great normally, but now I have some clients who want to use peer-to-peer
apps with each other (iMessage).  It's not working, and I tracked it down
to the fact that my VPN clients can see the internal network when they
connect, but they cannot reach each other.

So for example, if one client connects on 10.10.128.1 and another connects
to the same VPN server on 10.10.128.2, then they cannot ping each other.  I
dumped packets and I see the encrypted ICMP echo request come into the
server, and then I see the server send out an ARP request for the other IP
on its primary interface.

So this looks like a routing problem, but I'm not strong enough with my
routing-kung-fu to know how (or if) I can fix this.

Any suggestions?

My ipsec.conf on the server is as follows:

  conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0

leftcert=pw-hq.com.crt.x509.pem,pw-hq.com.crt-intermediate2.x509.pem,pw-hq.com.crt-intermediate1.x509.pem
        right=%any
rightauth=pubkey
rightauth2=xauth-pam
        rightsubnet=10.10.0.0/16
        rightsourceip=10.10.128.0/17
rightca="C=US, ST=California, L=San Diego, O=My Company, OU=CA, CN=
my-company.com/emailAddress=netops at my-company.com"
        auto=start

Thanks,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140427/e83dec32/attachment.html>