[strongSwan] Roadwarriors not able to access remote LAN

Felipe Arturo Polanco felipeapolanco at gmail.com
Sun May 14 02:21:43 CEST 2017 

Hi,

I have setup Strongswan 5 to connect iphone devices to a remote VPN server
with a LAN behind it, all traffic is encrypted.

Sadly I haven't been able to make the VPN clients access the internal LAN
without putting a masquerade rule in the LAN interface of the server, since
I need to log the IP of each client on the internal DNS this has been a
blockroad.

I'm kind of new to Strongswan so maybe I missed something.

If I put a public DNS server like 8.8.8.8 in rightdns clients can access
it, if I put my local DNS it won't work unless I masquerade the out
interface.

Tcpdump shows a packet from the VPN subnet as source going to the DNS
server as destination but the packet never arrives at the DNS.

I already added static route into the DNS routing table for the VPN subnet.

Here is my ipsec.conf in the VPN server.

config setup
    cachecrls=yes
    uniqueids=yes
    charondebug="cfg 2, chd 2, esp 2, ike 2, knl 2, mgr 2, net 2"

conn ios
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    lefthostaccess=yes
    right=%any
    rightsubnet=192.168.47.0/24
    rightsourceip=192.168.47.1/24
    rightdns=172.16.10.2
    righthostaccess=yes
    auto=add


strongswan.conf

charon {
        load_modular = yes
        plugins {

                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf


iptables-save

root at SSvpn01:~# iptables-save
# Generated by iptables-save v1.6.0 on Sun May 14 00:18:25 2017
*filter
:INPUT ACCEPT [5741:1711308]
:FORWARD ACCEPT [10:1033]
:OUTPUT ACCEPT [5709:1646619]
COMMIT
# Completed on Sun May 14 00:18:25 2017
# Generated by iptables-save v1.6.0 on Sun May 14 00:18:25 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE  <- this makes all clients IP appear
as if they came from the server
COMMIT
# Completed on Sun May 14 00:18:25 2017

Any help would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170513/b31adb62/attachment.html>

More information about the Users mailing list