[strongSwan] Simple VPN server as default gw setup

Geert Geurts geert at verweggistan.eu
Tue May 31 14:29:13 CEST 2016 

hallo all!

I'm trying to setup a simple VPN to function as default gateway.
Below my setup in (poor) ASCI ART and my ipsec.conf of both SERVER and CLIENT.
SERVER has a public static ip and is listening for connections.
CLIENT is a roadwarrior and IP is dynamic.

The connection setup works, so after a "strongswan up SERVER" at the
CLIENT machine I can ping/ssh/anything to and from over the
10.1.0.0/24 network.
Problem is trying to ping google.nl from CLIENT, I get a response from
1.2.3.4 "Destination Host Prohibited".
sysctl net.ipv4.ip_forward=1 and iptables rules are set according to
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
How can I setup forwarding on the SERVER?? What am I doing wrong here?

Further more at SERVER the iptables rules seem to only grow... So
rules seem to be added, but never removed... When should these rules
be removed from SERVER? Does this only happen on "strongswan down
SERVER" at CLIENT or should they also get removed after a DPD timeout?
How can I debug this?

My setup:
______________                                     _________________
| SERVER         |_____________________|CLIENT                 |
| IP:        1.2.3.4 _______10.1.0.0/24_____ IP: Dynamic          |
| VIP: 10.1.0254 |                                     |VIP: 10.1.0.1         |
| GW : 2.2.2.2    |                                     |GW: 10.1.0.254     |
|______________|                                    |________________|

==================
CLIENT ipsec.conf
==================
config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn SERVER
    left=%any
    leftcert=CLIENTCert.pem
    leftsourceip=%any
    leftfirewall=yes
    right=1.2.3.4
    rightid="C=NL, O=strongSwan, CN=SERVER"
    rightsubnet=0.0.0.0/0
    auto=add
__________________________________________

==================
SERVER ipsec.conf
==================

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=%forever
    keyexchange=ikev2
    left=1.2.3.4
    leftsubnet=0.0.0.0/0
    rightdns=10.1.0.254
    leftcert=SERVERCert.pem
    leftfirewall=yes
    right=%any
    mobike=yes
    fragmentation = yes
    lefthostaccess = yes
    dpdaction = clear
    closeaction = clear

conn CLIENT
    rightid="C=NL, O=strongSwan, CN=CLIENT"
    rightcert=CLIENTCert.pem
    rightsourceip=10.1.0.1
    rightsubnet=10.1.0.0/24
    auto=add
____________________________________________


Thanks allot for any help!!

Best regards,
Geert

More information about the Users mailing list