[strongSwan] How to forward Bonjour announcements in small family network

Marcus Döring newsgroups.2016 at doerings.net
Sat Feb 27 10:49:51 CET 2016 

We are struggling to get the AirPlay/ Bonjour announcements forwarded to the roadwarriors and would kindly ask for advice what is missing and preventing us from using AirPlay devices.

Roadwarrior-kids' iOS devices are managed and supervised by OS X server. 
A profile with an always-on VPN setting to our StrongSwan server is pushed to all their devices.
So even within local LAN, kids' devices use VPN connection.

All http traffic from roadwarrior-kids thru VPN tunnel is forwarded to different ports on local machine to which local Squid is listening.
This is to enable logging of kids Internet traffic.
This works well.

Avahi running on StrongSwan machine to forward Bonjour announcements.
AirPlay devices are unfortunately *not* announced to roadwarriors iOS devices on VPN tunnel. 

Please help. Thank you very much.

Setup:
192.168.178.1 DSL Modem Router w/ Firewall enabled
ports forwarded accordingly to StrongSwan and MacMini machines 

192.168.178.10 RaspBerryPi w/ vanilla Raspian Jessie Lite running StrongSwan
only one interface eth0 involved
avahi-daemon running w/ reflector setting enabled
squid running as proxy without caching

192.168.178.3 MacMini running OS X server w/ open directory, DNS, DHCP, profile manager enabled
myserver.mydomain.net <http://myserver.mydomain.net/> resolved by MacMini to its own address 192.168.178.3 so devices on LAN don't have to go thru DSL Modem Router

192.168.178.220 VPN IP address of roadwarrior-kid1.

avahi-daemon.conf includes:
domain-name=alocal
enable-reflector=yes

ipsec.conf reads:
config setup
        uniqueids = no
conn %default
        keyexchange=ikev2
        ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes1$
        esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,ae$
        dpdaction=clear
        dpddelay=300s
        authby=pubkey
        left=%any
        leftsubnet=0.0.0.0/0
        leftcert=strongSwan-Cert.der
        leftsendcert=always
        leftid=myserver.mydomain.net
        leftfirewall=yes
        right=%any
        keyexchange=ikev2
        auto=add
conn roadwarrior-kid1
        rightid=kid at mydomain.net
        rightsourceip=192.168.178.220
        rightdns=208.67.222.123,208.67.220.123
conn roadwarrior-kid2
	...
conn roadwarrior-kid3
	...

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  192.168.178.220      anywhere             tcp dpt:http redir ports 55220

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.178.220      anywhere             policy match dir out pol ipsec
MASQUERADE  all  --  192.168.178.220      anywhere            

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.178.220      anywhere             policy match dir in pol ipsec reqid 189 proto esp
ACCEPT     all  --  anywhere             192.168.178.220      policy match dir out pol ipsec reqid 189 proto esp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160227/61f9152b/attachment.html>

More information about the Users mailing list