[strongSwan] Separate firewall/router and VPN systems

Christian Salway christian.salway at naimuri.com
Fri Aug 24 10:13:47 CEST 2018 

Robert,

Make sure you have ip_forward turned on
net.ipv4.ip_forward = 1

and masquarade the IP address
/sbin/iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE
then you need to make sure that anything that goes down the internal interface, comes back that way..


See if you can make sense of the following which is my config.  eth0 is public facing, eth1 is internal facing

cat <<EOF >> /etc/network/interfaces.d/50-cloud-init.cfg
auto eth0
iface eth0 inet dhcp
    
auto eth1
iface eth1 inet dhcp
    metric 100
EOF
ifup eth1

SN1="$(ip r | awk '/eth1/ { print $1 }' | tail -n 1)"  # internal subnet
IP1="$(ip r | awk '/eth1/ { print $NF }' | tail -n 1)"  # internal ip
GW1="$(echo ${SN1} | cut -d'/' -f1 | cut -d'.' -f1-3).1"  # internal gateway

echo 200 eth1 >> /etc/iproute2/rt_tables

cat <<EOF >> /etc/network/interfaces.d/50-cloud-init.cfg
    post-up /sbin/ip rule add from ${IP1} table eth1
    pre-down /sbin/ip rule delete from ${IP1} table eth1
    post-up /sbin/ip route add default via ${GW1} table eth1
    pre-down /sbin/ip route delete default via ${GW1} table eth1
    post-up /sbin/ip route add ${REMOTECIDR} via ${GW1}
    pre-down /sbin/ip route delete ${REMOTECIDR} via ${GW1}
    post-up /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    pre-down /sbin/iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
EOF
ifdown eth1; ifup eth1

cat <<EOF > /etc/sysctl.d/60-strongswan.conf
net.ipv4.ip_forward = 1
EOF
sysctl -p /etc/sysctl.d/60-strongswan.conf





Kind regards,

Christian Salway
IT Consultant - Naimuri

T: +44 7463 331432
E: christian.salway at naimuri.com
A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW

> On 20 Aug 2018, at 22:23, Robert Green <robert.green at wegolook.com> wrote:
> 
> Hello All,
> 
> I may be doing something that isn't going to work easily.  I am trying to setup strongswan on a separate system than is on my firewall/router.  This separate system is also directly connected to the public internet. This is to support a road warrior setup.
> 
> I currently have the windows 10 client connecting via certificates.  However when I connect the client I can not get traffic beyond the VPN box.  I can ping the internal interface but I can not ping into the network or external clients.
> 
> I see the routes in the table 220 but they don't look right to me. I do have the firewall rules turned on the config and those look to be populating correctly.
> 
> /etc/ipsec.conf
>  config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>         charondebug="cfg 2, dmn 2, ike 2, net 2"
> 
> conn remote-users
>         fragmentation=yes
>         ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>         esp=aes256-sha1,3des-sha1!
>         left=%any
>         #leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>         leftsubnet=192.168.0.0/16 <http://192.168.0.0/16>
>         leftcert=server_cert.pem
>         leftfirewall=yes
>         right=%any
>         rightdns=1.1.1.1, 8.8.8.8
>         rightsourceip=192.168.18.2-192.168.18.254
>         keyexchange=ikev2
>         #auto=add
>         auto=route
> 
> ip route show table 220
> 
> 192.168.18.2 via 12.12.12.1 dev enp0s25 proto static src 192.168.1.198
> 
> My interfaces are:
> enp0s25 -> 12.12.12.1  (public interface)
> enp3s0  -> 192.168.1.198 (internal interface)
> 
> Primary gateway 192.168.0.1  (netmask /23)
> 
> This all has been sanitized. I have been beating my head against the wall on this one.  I know this is a routing issue but not sure how to properly fix it.
> 
> Thank you,
> -- 
> Robert Green
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180824/7bb73f82/attachment.html>

More information about the Users mailing list