[strongSwan] Routing issues / Only the host of strongswan can be reached

coruscant 06 coruscant06 at gmail.com
Tue Jun 21 11:11:26 CEST 2016 

Hi,
I'm trying to configure strongswan on my host and I have some issue for
routing client requests.
Indeed, currently, the client can only reach the web server installed on
the host where strongswan is installed.
Even the host which are part of the subset cannot be reached...

Details of my configuration:

/etc/ipsec.conf
conn IOS
        keyexchange=ikev2
        leftid="hostname"
        leftcert=vpnHostCert.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightauth=eap-tls
        rightid=user at domain
        rightsourceip=192.168.0.230
        rightdns=192.168.0.1
        eap_identity=%any
        auto=add

/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

I ran also the following commands:

# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o bond0 -m policy --dir
out --pol ipsec -j ACCEPT

# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o bond0 -j MASQUERADE

# ipsec statusall
 Status of IKE charon daemon (strongSwan 5.4.0, Linux 3.13.0-88-generic,
x86_64):
  uptime: 2 minutes, since Jun 21 10:28:24 2016
  malloc: sbrk 2568192, mmap 0, used 461408, free 2106784
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 5
  loaded plugins: charon aes gmp des rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf xcbc cmac hmac attr kernel-libipsec kernel-netlink
resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-tnccs dhcp certexpire radattr addrblock unity
Virtual IP pools (size/online/offline):
  192.168.0.230: 1/1/0
Listening IP addresses:
  192.168.0.50
Connections:
         IOS:  %any...%any  IKEv2
         IOS:   local:  [hostname] uses public key authentication
         IOS:    cert:  "C=FR, O=Name, CN=hostname"
         IOS:   remote: [user at domain] uses EAP_TLS authentication with EAP
identity '%any'
         IOS:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
         IOS[1]: ESTABLISHED 113 seconds ago,
192.168.0.50[host]...88.128.80.184[user at domain]
         IOS[1]: IKEv2 SPIs: 62edfac3b44de97f_i b04bb790a7864b3a_r*, public
key reauthentication in 2 hours
         IOS[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
         IOS{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 5b44f56f_i
0f6ed269_o
         IOS{1}:  AES_CBC_256/HMAC_SHA2_256_128, 8101 bytes_i (89 pkts, 17s
ago), 136106 bytes_o (155 pkts, 4s ago), rekeying in 45 minutes
         IOS{1}:   0.0.0.0/0 === 192.168.0.230/32

Thanks for your help
BR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160621/aad90cfa/attachment.html>

More information about the Users mailing list