[strongSwan] Roadwarriors not able to access remote LAN
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Sun May 14 03:39:59 CEST 2017
Hi,
On 14.05.2017 02:21, Felipe Arturo Polanco wrote:
>
> Sadly I haven't been able to make the VPN clients access the internal LAN without putting a masquerade rule in the LAN interface of the server, since I need to log the IP of each client on the internal DNS this has been a blockroad.
You need to set a route to the subnet you use for the roadwarriors on your LAN.
>
> I'm kind of new to Strongswan so maybe I missed something.
It has nothing to do with strongSwan. There's no opaque black magic involved. If you read the introduction and understand it, you get how it works.
>
> If I put a public DNS server like 8.8.8.8 in rightdns clients can access it, if I put my local DNS it won't work unless I masquerade the out interface.
>
> Tcpdump shows a packet from the VPN subnet as source going to the DNS server as destination but the packet never arrives at the DNS.
Virtualised environment? firewall rules that drop packets from other subnets? tcpdump at all locations and figure out where they're dropped. Might be the reverse path filter (missing routes) on some hosts.
>
> I already added static route into the DNS routing table for the VPN subnet.
Default router, too?
>
> Here is my ipsec.conf in the VPN server.
>
> config setup
> cachecrls=yes
> uniqueids=yes
> charondebug="cfg 2, chd 2, esp 2, ike 2, knl 2, mgr 2, net 2"
>
> conn ios
> keyexchange=ikev1
> authby=xauthpsk
Deprecated. Use rightauth and leftauth.
> xauth=server
> left=%defaultroute
unnecessary.
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> leftfirewall=yes
> lefthostaccess=yes
> right=%any
> rightsubnet=192.168.47.0/24 <http://192.168.47.0/24>
> rightsourceip=192.168.47.1/24 <http://192.168.47.1/24>
Invalid. Only set rightsourceip. rightsubnet gets narrowed to the assigned "virtual" IP for each roadwarrior that connects. With this configuration, only one roadwarrior can connect.
> rightdns=172.16.10.2
> righthostaccess=yes
Doesn't do anything, because this host is not "right".
> auto=add
Kind regards,
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170514/12868fda/attachment.sig>
More information about the Users
mailing list