[strongSwan] Net-to-Net wrong source IP of VPN server.
Lukas Hejmal
lukas at hejmal.eu
Mon May 2 10:00:03 CEST 2016
Hello,
I'm trying to setup net-to-net VPN connection between my 2 locations(A
and B). Network schema:
SUBNET_A (LAN: 192.168.2.0/24) --------> (LAN IP: 192.168.2.1) VPN_A
(WAN IP: 1.2.3.4) --------------> (WAN IP: 4.3.2.1) NAT_B (LAN IP:
192.168.1.1) -------> SUBNET_B (LAN: 192.168.1.0/24) -------> VPN_B (LAN
IP: 192.168.1.54) .
I am able to successfully establish VPN connection between both sites.
When I go to VPN_B system and ping any IP address from SUBNET_A it
works. But when I login to VPN_A(that also act as NAT), I am not able to
reach any system within SUBNET_B. After a bit digging around, I found
out that reason for this is VPN_A server is trying to send communication
with source IP address 1.2.3.4 , instead of 192.168.2.1. Is there any
way(config in ipsec.config file or iptables rule) how can I force VPN_A
box to use source IP 192.168.2.1 each time it is sending traffic to
SUBNET_B (192.168.1.0/24)?
My config files:
====================================================
VPN_A:
====================================================
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn tva-to-vino
left=%any
leftcert=AAA.crt
leftid=@AAA
leftsubnet=192.168.2.0/24
leftfirewall=yes
rightsubnet=192.168.1.0/24
right=%any
auto=add
====================================================
VPN_B:
====================================================
conn tva-to-vino
left=%any
leftcert=BBB.crt
leftid=@BBB
leftsubnet=192.168.1.0/24
right=1.2.3.4
rightsubnet=192.168.2.0/24
rightid=AAA
keyexchange=ikev2
mobike=no
auto=start
leftupdown="sudo -E ipsec _updown iptables"
====================================================
More information about the Users
mailing list