[strongSwan] unable to ping local gateway in roadwarrior configuration

Mihai Ordean social at mihaiordean.com
Tue Jan 20 14:00:25 CET 2015 

Hello

I have been struggling to set up a Strongswan gateway for two weeks now with no success and I'm now at my wits end.

I run a Ubuntu server with two network interfaces. One interface (eth0) is connected to a Sky router with DMZ enabled to the server and the other manages a local LAN (br-lan).
I want to set up a roadwarrior configuration in which the remote devices (windows 7, windows 8 and android) can connect via strongswan and act as being local peers in the lan.

The network setup looks like this:

RoadWarrior(x.x.x.a) <==> RemoteROUTER<x.x.x.b>/<y.y.y.y> <==INTERNET==> SkyRouter (DDNS and DMZ) <z.z.z.z>/<192.168.47.1/30> <==> Server <192.168.47.2>/<192.168.7.1> <==> LAN

I am using the dhcp and farp plugins and I have forwarding enabled in sysctl.conf (need it for NAT anyways). My current firewall rules are all set to ACCEPT to allow testing.
I have restricted strongswan to bind only to the LAN interface of the server <192.168.7.1>. There are also 4 port forwarding rules for the IPSEC ports:

iptables -A PREROUTING -p udp -d $EXTIP --dport 500 -j DNAT --to-destination 192.168.7.1:500
iptables -A PREROUTING -p udp -d $EXTIP --dport 4500 -j DNAT --to-destination 192.168.7.1:4500
iptables -A PREROUTING -p 50 -d $EXTIP -j DNAT --to-destination 192.168.7.1
iptables -A PREROUTING -p 51 -d $EXTIP -j DNAT --to-destination 192.168.7.1

My routing table is as follows:

default	           192.168.47.1 0.0.0.0                    UG    0      0        0 eth0
192.168.7.0    *                        255.255.255.0      U       0      0        0 br-lan
192.168.47.0  *                        255.255.255.252 U       0      0        0 eth0

ipsec.conf is:

config setup
   charondebug = "dmn 0,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 1,lib 0,enc 0,tnc 0"
   cachecrls=yes
   uniqueids=yes

conn roadwarrior-eap
   keyexchange=ikev2
   leftauth=pubkey
   leftcert=vpn-Cert.pem
   leftid=dnsname.com
   left=%any
   leftsubnet=0.0.0.0/0
   leftfirewall=yes
   lefthostaccess=yes
   right=%any
   rightsourceip=%dhcp
   rightauth=eap-mschapv2
   rightsendcert=never
   forceencaps=yes
   eap_identity=%any
   auto=add
   esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
   ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096

and ipsec statusall is:

Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.10.17-g86ce428, armv7l):
  uptime: aaaaaaaaaa
  malloc: sbrk 1081344, mmap 0, used 193992, free 887352
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 xauth-generic dhcp addrblock
Listening IP addresses:
  192.168.7.1
Connections:
roadwarrior-eap:  %any...%any  IKEv2
roadwarrior-eap:   local:  [mihaiordean.com] uses public key authentication
roadwarrior-eap:    cert:  "C=UK, O=dnsname.com, CN=dnsname.com"
roadwarrior-eap:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
roadwarrior-eap:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none


The problem that I have is that I am able to ping the network computers (i.e. 192.168.7.5) but I am unable to ping the gateway itself (192.168.7.1). The the strongswan DHCP plugin works fine and I am getting an IP from the LAN (192.168.7.x). I have no idea why this is happening as it seems that the traffic does get routed properly for peers in the lan just not for the gateway.

Thanks
meehien

More information about the Users mailing list