[strongSwan] Accessing VPN client from private network

Marco Spinola Durante mspinoladurante at gmail.com
Wed Feb 14 23:49:09 CET 2018 

Hi Tobias,

thanks. FARP is configured on both client and gateway, and I can reach all the internal network from the vpn client (ubuntu linux). The DHCP server is not on the gateway.
Still pinging the vpn client from the internal network does not work. Is there any other config to do? 

VPN CLIENT:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

conn vpn
    right=%me.domain.com
    rightid=server
    rightsubnet=192.168.1.0/24
    rightauth=psk
    left=%any
    leftid=client
    leftauth=eap-mschapv2
    leftsourceip=%config
    auto=add

Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-32-generic, x86_64):
  uptime: 27 minutes, since Feb 14 23:19:19 2018
  malloc: sbrk 3276800, mmap 532480, used 1419840, free 1856960
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors unbound ldap pkcs11 aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
  X.X.X.X
Connections:
    vpn:  %any…me.domain.com,0.0.0.0/0,::/0  IKEv1/2
    vpn:   local:  [client] uses EAP_MSCHAPV2 authentication
    vpn:   remote: [server] uses pre-shared key authentication
    vpn:   child:  dynamic === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
    vpn[1]: ESTABLISHED 27 minutes ago, X.X.X.X[server]…Y.Y.Y.Y[server]
    vpn[1]: IKEv2 SPIs: 66945fc928466229_i* 825b15d6f370bd5e_r, EAP reauthentication in 2 hours
    vpn[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    vpn{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7fc94f7_i cb625e29_o
    vpn{1}:  AES_CBC_128/HMAC_SHA1_96, 1512 bytes_i (18 pkts, 750s ago), 2940 bytes_o (35 pkts, 750s ago), rekeying in 14 minutes
    vpn{1}:   192.168.1.20/32 === 192.168.1.0/24

VPN SERVER/GATEWAY:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	strictcrlpolicy=no
	uniqueids = no

conn server-IKEV2
	auto=add
	dpdaction=clear
	keyexchange=ikev2

	#left
	#left=%any
        left=%defaultroute
	leftsubnet=192.168.1.0/24
	leftfirewall=yes
        leftauth=psk
	leftid=server

	#right
	right=%any
	rightsourceip=192.168.1.20 (tried also %dhcp but no change)
	rightauth=eap-mschapv2
	rightid=client

Status of IKE charon daemon (strongSwan 5.2.1, Linux 4.9.35-v7+, armv7l):
  uptime: 23 minutes, since Feb 14 23:17:54 2018
  malloc: sbrk 1216512, mmap 0, used 224680, free 991832
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
  192.168.1.20: 1/1/0
Listening IP addresses:
  192.168.1.10
Connections:
   iOS-IKEV2:  %any...%any  IKEv2, dpddelay=30s
   iOS-IKEV2:   local:  [server] uses pre-shared key authentication
   iOS-IKEV2:   remote: [client] uses EAP_MSCHAPV2 authentication
   iOS-IKEV2:   child:  192.168.1.0/24 === dynamic TUNNEL, dpdaction=clear
server-IKEV2:  %any...%any  IKEv2, dpddelay=30s
server-IKEV2:   local:  [server] uses pre-shared key authentication
server-IKEV2:   remote: [client] uses EAP_MSCHAPV2 authentication
server-IKEV2:   child:  192.168.1.0/24 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
server-IKEV2[4]: ESTABLISHED 21 minutes ago, 192.168.1.10[server]...XXX.XXX.XXX.XXX[client]
server-IKEV2[4]: IKEv2 SPIs: 29624628c95f9466_i 5ebd70f3d6155b82_r*, pre-shared key reauthentication in 2 hours
server-IKEV2[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
server-IKEV2{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cb625e29_i c7fc94f7_o
server-IKEV2{1}:  AES_CBC_128/HMAC_SHA1_96, 2940 bytes_i (35 pkts, 402s ago), 1512 bytes_o (18 pkts, 402s ago), rekeying in 21 minutes
server-IKEV2{1}:   192.168.1.0/24 === 192.168.1.20/32 


> Il giorno 14 feb 2018, alle ore 08:22, Tobias Brunner <tobias at strongswan.org> ha scritto:
> 
> Hi Marco,
> 
>> VPN Client -> Gateway -> internal network with some servers
>> The VPN gets an IP from DHCP Server (i.e 192.168.1.100)
>> Gateway has IP 192.168.1.10, can ping the VPN client 192.168.1.100
>> Pinging the VPN client from a server in the network (e.g. 192.168.1.20) does not work.
>> 
>> What am I missing?
> 
> See [1].
> 
> Regards,
> Tobias
> 
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-LAN

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180214/a20211bf/attachment-0001.html>

More information about the Users mailing list