[strongSwan] access to multiple subnets
Yudi V
yudi.tux at gmail.com
Tue Jan 17 06:13:23 CET 2017
On Tue, Jan 17, 2017 at 1:12 AM, Mirko Parthey <mirko.parthey at web.de> wrote:
> On Mon, Jan 16, 2017 at 01:51:00AM +1100, Yudi V wrote:
> > Got strongswan VPN on an openwrt gateway acting as the server. Openwrt
> router
> > has two VLANS (say 192.168.1.0/24, 192.168.2.0/24), I used
> rightsourceip=%dhcp
> > and let the remote peer get IP from 192.168.1.0/24.
> >
> > This works fine and I can access resources (mostly network shares) in
> > 192.168.1.0/24 but I would also like to access resources in
> 192.168.2.0/24. I
> > cannot seem to figure out how to do this.
> >
> > Normally when I am connected to the openwrt gateway directly I can
> access the
> > resources in both VLANs (has appropriate rules in the firewall).
> >
> > I did not add any specific firewall rules relating to strongswan setup
> except
> > for esp, ah, port 500 and 4500 on wan side. Not sure what settings need
> to be
> > changed to get access to the other subnets.
> > I would appreciate any suggestions.
>
> Hello Yudi,
>
> I would suggest to find out where the traffic to 192.168.2.0/24 is
> dropped,
> on which machine and by which firewall rule / IPsec policy.
> For example, send an ICMP echo request (ping) from a remote machine,
> also try a larger size such as 1500.
>
> Does it arrive at the target machine?
> Is the request dropped, or the reply?
>
> Linux IPsec has byte and packet counters, which can be shown with the
> strongSwan command "ipsec statusall". It also shows other useful
> information,
> so please post the output of this command after the connection has been
> established.
> Also enable logging in the OpenWrt firewall and look at the log (logread)
> and the netfilter rule counters (iptables -vL).
>
> This diagram shows the processing order of the netfilter hooks:
> http://inai.de/images/nf-packet-flow.png
> Please note that decapsulated IPsec traffic is processed by the network
> layer hooks a second time. This should be covered by the rules
> automatically inserted with leftfirewall=yes, but is worth checking.
>
> Are your routes set up correctly - on the client, the OpenWrt gateway,
> and the target machine in 192.168.2.0/24?
> Remember that you will need valid routes for both directions.
> Do machines in 192.168.2.0/24 send all traffic to 192.168.1.0/24 via
> the OpenWrt gateway, or is there another router?
>
> You could also try to use an address range for the remote clients
> which is disjoint from the internal subnets. You will see if it breaks
> access to 192.168.1.0/24 as well, and this can be a base for
> further investigations.
>
> Regards,
> Mirko
>
Thank you for the reply.
The problem was not strongswan or openwrt, but windows 10. When the
connection is created, it uses split-tunneling by default, so anything not
destined to 192.168.1.0/64 was being router to the internet and obviously
was failing. Once I disabled split-tunneling, everything was being sent to
the remote gateway. All ok.
Another thing I noticed with openwrt is I have to use the DNS domain suffix
(.lan) for hostnames to resolve properly over the VPN.
--
Kind regards,
Yudi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170117/d1a5cdc8/attachment.html>
More information about the Users
mailing list