[strongSwan] access to multiple subnets

Yudi V yudi.tux at gmail.com
Tue Jan 17 06:13:23 CET 2017

On Tue, Jan 17, 2017 at 1:12 AM, Mirko Parthey <mirko.parthey at web.de> wrote:

> On Mon, Jan 16, 2017 at 01:51:00AM +1100, Yudi V wrote:
> > Got strongswan VPN  on an openwrt gateway acting as the server. Openwrt
> router
> > has two VLANS (say,, I used
> rightsourceip=%dhcp
> > and let the remote peer get IP from
> >
> > This works fine and I can access resources (mostly network shares) in
> > but I would also like to access resources in
> I
> > cannot seem to figure out how to do this.
> >
> > Normally when I am connected to the openwrt gateway directly I can
> access the
> > resources in both VLANs (has appropriate rules in the firewall).
> >
> > I did not add any specific firewall rules relating to strongswan setup
> except
> > for esp, ah, port 500 and 4500 on wan side.  Not sure what settings need
> to be
> > changed to get access to the other subnets.
> > I would appreciate any suggestions.
> Hello Yudi,
> I would suggest to find out where the traffic to is
> dropped,
> on which machine and by which firewall rule / IPsec policy.
> For example, send an ICMP echo request (ping) from a remote machine,
> also try a larger size such as 1500.
> Does it arrive at the target machine?
> Is the request dropped, or the reply?

> Linux IPsec has byte and packet counters, which can be shown with the
> strongSwan command "ipsec statusall". It also shows other useful
> information,
> so please post the output of this command after the connection has been
> established.
> Also enable logging in the OpenWrt firewall and look at the log (logread)
> and the netfilter rule counters (iptables -vL).
> This diagram shows the processing order of the netfilter hooks:
> http://inai.de/images/nf-packet-flow.png
> Please note that decapsulated IPsec traffic is processed by the network
> layer hooks a second time. This should be covered by the rules
> automatically inserted with leftfirewall=yes, but is worth checking.
> Are your routes set up correctly - on the client, the OpenWrt gateway,
> and the target machine in
> Remember that you will need valid routes for both directions.
> Do machines in send all traffic to via
> the OpenWrt gateway, or is there another router?
> You could also try to use an address range for the remote clients
> which is disjoint from the internal subnets. You will see if it breaks
> access to as well, and this can be a base for
> further investigations.
> Regards,
> Mirko

Thank you for the reply.

The problem was not strongswan or openwrt, but windows 10. When the
connection is created, it uses split-tunneling by default, so anything not
destined to was being router to the internet and obviously
was failing. Once I disabled split-tunneling, everything was being sent to
the remote gateway. All ok.

Another thing I noticed with openwrt is I have to use the DNS domain suffix
(.lan) for hostnames to resolve properly over the VPN.

Kind regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170117/d1a5cdc8/attachment.html>

More information about the Users mailing list