[strongSwan] Problems with internal routing on vpn server

Marc Eckel dermarc at gmx.at
Sun Feb 15 14:03:43 CET 2015


Hello,

I have set up an vpn environment

[Internet]----[publicip] vpn server [192.167.147.1]  ----- [192.167.147.2]
Android1

 
|-----[192.168.147.3] Android2

 
|---- [192.167.145.0/24] [fritzboxm] 

 

So far each connection is established and Android1 and Android2 can access
the internet via vpn and can ping the vpn server. Unfortunately I cannot
ping between the vpn clients and from and to fritzboxm. Has anybody any idea
what might be wrong with my configuration?

 

Kind regards

Marc

 

 

 

 

Strongswan config:

# strongswan.conf - strongSwan configuration file

 

charon {

 

# number of worker threads in charon

threads = 16

 

# send strongswan vendor ID?

# send_vendor_id = yes

dns1 = 8.8.4.4

dns2 = 8.8.8.8

nbns1 = 192.167.145.50

nbns1 = 192.167.144.1

 

plugins {

 

sql {

# loglevel to log into sql database

loglevel = -1

 

# URI to the database

# database = sqlite:///path/to/file.db

# database = mysql://user:password@localhost/database

}

}

 

# ...

}

 

pluto {

 

}

 

libstrongswan {

#  set to no, the DH exponent size is optimized

#  dh_exponent_ansi_x9_42 = no

}

 

 

Ipsec.conf

 

# ipsec.conf - strongSwan IPsec configuration file

 

# basic configuration

 

config setup

# plutodebug=all

# crlcheckinterval=600

# strictcrlpolicy=yes

# cachecrls=yes

# nat_traversal=yes

# uniqueids=no

charondebug="cfg 2, dmn 2, ike 2, net 2"

 

conn %default

keyexchange=ike

ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-
sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp
4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2
56-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-m
odp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,a
es256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!

esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384
-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,a
es256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha
1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp204
8,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-
sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-mo
dp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha
1,aes256-sha384,aes256-sha256,aes256-sha1!

dpdaction=clear

dpddelay=300s

rekey=no

reauth=yes

leftfirewall=yes

rightfirewall=yes

lefthostaccess=yes

righthostaccess=yes

type=passthrough

 

conn Android1

left=[public_ip]

leftsourceip=192.167.147.1

leftid="C=DE, O=[domainname], CN=[domainname].de"

leftsubnet=0.0.0.0/0

leftauth=pubkey

leftcert=vpnHostCert.pem

right=%any

rightid="C=DE, O=[domainname], CN=Android1@[domainname].de
<mailto:CN=Android1@[domainname].de> "

rightsourceip=192.167.147.2

rightauth=pubkey

rightauth2=eap-mschapv2

eap_identity=%any

auto=add

 

conn Android2

left=[public_ip]

leftid="C=DE, O=[domainname], CN=[domainname].de"

leftsubnet=0.0.0.0/0

leftauth=pubkey

leftcert=vpnHostCert.pem

right=%any

rightid="C=DE, O=[domainname], CN=Android2@[domainname].de
<mailto:CN=Android2@[domainname].de> "

rightsourceip=192.167.147.3

rightauth=pubkey

rightauth2=eap-mschapv2

#rightsendcert=never   # see note

eap_identity=%any

auto=add

 

 

conn fritzboxm

leftsourceip=192.167.147.1

ikelifetime=3600s

leftauth=psk

rightauth=psk

left=[public_ip]

leftsubnet=192.167.144.0/24,192.167.147.0/24

right=%[dynip]

rightallowany = yes

rightid="@ dynip "

rightsubnet=192.167.145.0/24

auto=add

 

Firewall Rules

 

# Set default policies for all three default chains

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

 

# VPN NAT

# Ensure that all packets destined for local addresses start at our local
address

# iptables -t nat -A POSTROUTING --src 192.167.144.0/22  --dst
192.167.144.0/22 -j SNAT --to-source 192.167.147.1

# iptables -t nat -A POSTROUTING ! --src 192.167.144.0/22  --dst
192.167.144.0/22 -j SNAT --to-source 192.167.147.1

 

# Ensure that all packets destined for the Internet start at our public
address

iptables -t nat -A POSTROUTING --src 192.167.144.0/22 ! --src
192.167.144.0/22 ! -p esp -j SNAT --to-source [public_ip]

 

# iptables -t nat -A POSTROUTING -s 192.167.144.0/22 -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.167.144.0/22 -o eth0 -m policy --dir
out --pol ipsec -j ACCEPT

# iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source
[public_ip]

 

# Enable free use of loopback interfaces

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

 

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 

# Accept limited inbound ICMP messages

iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set

iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update
--seconds 5 --hitcount 10 -j DROP

iptables -A INPUT -p icmp -j ACCEPT

 

Routing (interface)

 

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

 

# The loopback network interface

auto lo

iface lo inet loopback

 

# The primary network interface

auto eth0

iface eth0 inet static

address [public_ip]

netmask 255.255.255.128

network 185.11.136.0

broadcast 185.11.136.127

gateway 185.11.136.1

# dns-* options are implemented by the resolvconf package, if installed

dns-nameservers 95.129.51.50 8.8.8.8 95.129.53.235

dns-search customer.xenway.de

auto eth0:1

iface eth0:1 inet static

address 192.167.147.1

gateway 192.167.147.1

netmask 255.255.255.0

up ip route add 192.167.144.0/22 via 192.167.147.1 || true

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150215/7f3d7aaa/attachment.html>


More information about the Users mailing list