[strongSwan] Problems with internal routing on vpn server
Marc Eckel
marc.eckel at web.de
Sun Feb 15 10:58:18 CET 2015
Hello,
I have set up an vpn environment
[Internet]----[publicip] vpn server [192.167.147.1] ----- [192.167.147.2]
Android1
|-----[192.168.147.3] Android2
|---- [192.167.145.0/24] [fritzboxm]
So far each connection is established and Android1 and Android2 can access
the internet via vpn and can ping the vpn server. Unfortunately I cannot
ping between the vpn clients and from and to fritzboxm. Has anybody any idea
what might be wrong with my configuration?
Kind regards
Marc
Strongswan config:
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
dns1 = 8.8.4.4
dns2 = 8.8.8.8
nbns1 = 192.167.145.50
nbns1 = 192.167.144.1
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
Ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# uniqueids=no
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ike
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-
sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp
4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2
56-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-m
odp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,a
es256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384
-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,a
es256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha
1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp204
8,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-
sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-mo
dp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha
1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
reauth=yes
leftfirewall=yes
rightfirewall=yes
lefthostaccess=yes
righthostaccess=yes
type=passthrough
conn Android1
left=[public_ip]
leftsourceip=192.167.147.1
leftid="C=DE, O=[domainname], CN=[domainname].de"
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=vpnHostCert.pem
right=%any
rightid="C=DE, O=[domainname], CN=Android1@[domainname].de"
rightsourceip=192.167.147.2
rightauth=pubkey
rightauth2=eap-mschapv2
eap_identity=%any
auto=add
conn Android2
left=[public_ip]
leftid="C=DE, O=[domainname], CN=[domainname].de"
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=vpnHostCert.pem
right=%any
rightid="C=DE, O=[domainname], CN=Android2@[domainname].de"
rightsourceip=192.167.147.3
rightauth=pubkey
rightauth2=eap-mschapv2
#rightsendcert=never # see note
eap_identity=%any
auto=add
conn fritzboxm
leftsourceip=192.167.147.1
ikelifetime=3600s
leftauth=psk
rightauth=psk
left=[public_ip]
leftsubnet=192.167.144.0/24,192.167.147.0/24
right=%[dynip]
rightallowany = yes
rightid="@ dynip "
rightsubnet=192.167.145.0/24
auto=add
Firewall Rules
# Set default policies for all three default chains
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# VPN NAT
# Ensure that all packets destined for local addresses start at our local
address
# iptables -t nat -A POSTROUTING --src 192.167.144.0/22 --dst
192.167.144.0/22 -j SNAT --to-source 192.167.147.1
# iptables -t nat -A POSTROUTING ! --src 192.167.144.0/22 --dst
192.167.144.0/22 -j SNAT --to-source 192.167.147.1
# Ensure that all packets destined for the Internet start at our public
address
iptables -t nat -A POSTROUTING --src 192.167.144.0/22 ! --src
192.167.144.0/22 ! -p esp -j SNAT --to-source [public_ip]
# iptables -t nat -A POSTROUTING -s 192.167.144.0/22 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.167.144.0/22 -o eth0 -m policy --dir
out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source
[public_ip]
# Enable free use of loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept limited inbound ICMP messages
iptables -I INPUT -p icmp --icmp-type echo-request -m recent --set
iptables -I INPUT -p icmp --icmp-type echo-request -m recent --update
--seconds 5 --hitcount 10 -j DROP
iptables -A INPUT -p icmp -j ACCEPT
Routing (interface)
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address [public_ip]
netmask 255.255.255.128
network 185.11.136.0
broadcast 185.11.136.127
gateway 185.11.136.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 95.129.51.50 8.8.8.8 95.129.53.235
dns-search customer.xenway.de
auto eth0:1
iface eth0:1 inet static
address 192.167.147.1
gateway 192.167.147.1
netmask 255.255.255.0
up ip route add 192.167.144.0/22 via 192.167.147.1 || true
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 14206 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150215/4bbaad09/attachment-0001.bin>
More information about the Users
mailing list