[strongSwan] Issues in Strongswan and Google Cloud Communication

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Apr 11 19:49:12 CEST 2018 

Hello Wesley,

Your iptables rules probably SNAT or MASQUERADE new connections out of your public interface, which causes it to not match the negotiated policies anymore.
The article about Forwarding and split tunneling[1] elaborates on that and shows you a rule to fix that.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems

On 11.04.2018 16:39, Wesley Rabelo de Oliveira wrote:
> Good morning, 
>
> First of all, I apologize for my English. I'm using google translator.
>
> I'm eating now with strongswan and I'm encountering a problem I can not solve. I'm closing a VPN Ipsec strongswan with Google Cloud ... at first the connection is established on both sides, but I'm encountering problems in the communication between the connections, I can ping and access everything when I'm on the side of the google cloud instance, but when I'm on the strongswan side I can not do anything and when I run cmomando ipsec statusall I verify that the tunnel is OK.
> My question is is there any specific route that I should create? or the routes when the tunnel is established are created automatically.
>
> Follows my narration for analysis.
>
> Google Cloud 
> ip public: 35.196.XX.XXX
> Network: 192.168.3.0/24 <http://192.168.3.0/24>
>
> Firewall  Debin (Strongswan)
> ip public: 187.32.XX.XXX
> Network: 192.168.0.0/24 <http://192.168.0.0/24>
> interface int:  192.168.0.254
>
>
> #my ipsec.conf
>
> conn myconn
>         fragmentation = yes
>         keyexchange = ikev1
>         reauth = yes
>         forceencaps = no
>         rekey = yes
>         installpolicy = yes
>         type = tunnel
>         dpdaction=restart
>         dpddelay = 10s
>         dpdtimeout = 60s
>         auto = route
>         authby=secret
>         left = %any
>         right = 35.196.XX.XXX 
>         leftid = 187.32.XX.XXX
>         ikelifetime = 28800s
>         lifetime = 3600s
>         ike = aes128-sha1-modp1024,3des-sha1-modp1024!
>         esp = aes128-sha1-modp1024,3des-sha1-modp1024!
>         leftauth = psk
>         rightauth = psk
>         rightid = 35.196.XX.XXX
>         aggressive = no
>         rightsubnet = 192.168.3.0/24 <http://192.168.3.0/24>
>         leftsubnet = 192.168.0.0/24 <http://192.168.0.0/24>
>
>
> Thanks...
>
>
> -- 
> Wesley R. de Oliveira
>

More information about the Users mailing list