[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Sun Apr 30 23:25:24 CEST 2017

I have added following on local router

iptables -t nat -I POSTROUTING -s -o vlan847 -m policy --dir 
out --pol ipsec --proto esp -j ACCEPT
(before it was iptables -t nat -I POSTROUTING -s -d -o vlan847 -m policy --dir out --pol ipsec --proto esp -j 

And on remote router

iptables -I FORWARD -s -j ACCEPT
iptables -t nat -I POSTROUTING -s -j MASQUERADE

And now when the tunnel is up, internet doesnt work at all (all pings 
time out), however I can still reach the remote subnet What 
is the best way to troubleshoot, if the error is on the local gateway or 
on the remote?

Den 2017-04-30 kl. 20:39, skrev 
noel.kuntze+strongswan-users-ml at thermi.consulting:
> Fix your NAT rules.
> Am 30. April 2017 12:28:48 MESZ schrieb Dusan Ilic <dusan at comhem.se>:
>     Okey, so I found info about adding a "passthrough" connection for my
>     local LAN. I have done this now and when i start the connection the
>     network connection isn't cut off, however, it seems like my internet
>     traffic i still using my local gateway (browsed to a check my ip-page).
>     I can however still ping the remote network.
>     Here is my tabel 220
>     # ip route show table 220
> <>  dev br0  proto static  src10.1.1.1 <>  # LAN passthrough?
>     default via 85.24.x.x dev vlan847  proto static  src10.1.1.1 <>
>     So instead of a route to192.168.1.0/24 <>  a default route is added, but it
>     looks like it doesn't go through the tunnel... traffic to192.168.1.0/24 <>  
>     do get tunneled still though.
>     Den 2017-04-30 kl. 11:59, skrev Dusan Ilic:
>         Hello again, It worked with the hack! Thank you! Last question
>         (hopefully! :P)), if I would like to use the remote endpoint
>         to route *all* traffic over the vpn, is below the correct way?
>         I have changed rightsubnet locally to and leftsubnet
>         remotely to, I have also added NAT on the remote
>         router for the local subnet on the local endpoint, and finally
>         I have added the local subnet to table 220 on the local
>         router. I have also replaced the Iptable forward rule on local
>         endpoint with instead of only the remote subnet.
>         However, when I up the connection on the local router in a
>         couple of seconds my SSH connection stops responding, and I
>         cannot reach the local gateway or internet any longer. I have
>         to reboot the local router to get access again. Is this
>         familiar to you? What could be happening here? Den 2017-04-29
>         kl. 18:44, skrev Noel Kuntze:
>             Hello Dusan, On 29.04.2017 18:34, Dusan Ilic wrote:
>                 It works! I found a hidden setting under Phase 1 in
>                 Fortigate where i could add the local ID. Added it's
>                 dynamic dns hostname and now it connects. 
>             Great!
>                 However, I still have issues with another endpoint I'm
>                 testing. My local endpoint have Strongswan 5.5.1 and
>                 the remote endpoint have 4.5.2. Would that present any
>                 issues or incompatibilites? Unfortunately it's not
>                 possible to upgrade the remote endpoint (Strongswan). 
>             Pluto resolves IDs that are FQDNs. I think there was a
>             hack, where you add the at-character in front of the FQDN
>             in the ID settings and that stops it from doing that.
>             Might apply to charon, too in such a low version number.
>             Try the hack.
>                 I tried below, per your suggestion left=%local.example
>                 leftid=local.example right=%remote.example
>                 rightid=remote.example remote.example : PSK
>                 "PSKGOESHERE" Log when local sides initiates
>                 connection: parsed IKE_AUTH response 1 [
>                 N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify
>                 error 
>             You need to read the remote logs when the remote side
>             sends you an error message.
>                 Log when remote side initiates connection: Apr 29
>                 16:32:20 R6250 daemon.info <http://daemon.info>
>                 charon: 10[CFG] looking for peer configs matching
>                 85.24.x.x[85.24.x.x]...94.254.x.x[94.254.x.x] Apr 29
>                 16:32:20 R6250 daemon.info <http://daemon.info>
>                 charon: 10[CFG] no matching peer config found It looks
>                 like the same issue, the remote endpoint doesnt send
>                 the configured ID? 
>             Yes.
>                 And another question, when using dynamic hostnames
>                 instead of IP's as "right", how often does Strongswan
>                 make a new DNS-lookup? How does Strongswan handle the
>                 situation where let's say the remote endpoint suddenly
>                 receives a new IP? Or if the local side receives a new
>                 IP during established connection? 
>             strongSwan does a DNS lookup whenever it tries to select a
>             configuration. Well, depends on if mobike is used or no
>             and if the peer who's IP changed can't send any traffic
>             anymore. Mobike and connectivity: IKE_SA and CHILD_SAs are
>             migrated No mobike and connectivity: Don't know. Maybe a
>             new IKE_SA is negotiated, because the one peer knows the
>             local address has vanished (and the CHILD_SAs migrated?).
>             No mobike and no connectivity: Timeout, if DPD is used.
>             Otherwise the IKE_SA and CHILD_SAs remain until the remote
>             peer connects again. Mobike and no connectivity: Timeout,
>             if DPD is used. Otherwise the IKE_SA and CHILD_SAs remain
>             until the remote peer connects again. Kind regards, Noel
>         ------------------------------------------------------------------------
>         Users mailing list Users at lists.strongswan.org
>         https://lists.strongswan.org/mailman/listinfo/users 
> Sent from mobile 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170430/57eec248/attachment-0001.html>

More information about the Users mailing list