[strongSwan] Simple road warrior setup no longer routing after upgrade

James Lay jlay at slave-tothe-box.net
Thu Jul 26 02:33:15 CEST 2018 

On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote:
> On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
> So I moved to Strongswan 5.6.2 during a distribution upgrade.
> What distribution?  What was the previous version?  Do you still
> havethe same plugins installed and enabled?
> My simplesetup no longer routes back to the client (I can see the
> incoming pingson the server, but nothing goes back). I establish a
> tunnel fine...mysetup looks like this:
> 
> external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
> all I need is to have a connected device able to
> access192.168.1.1...and it's only a single user.
> Please read [1].  From the involved IPs I guess you used the farp
> pluginbefore, so make sure you still have that installed and loaded.
> Regards,Tobias
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAnd
> SplitTunneling
> Thanks Tobias...I have access to the old server so I'll see what's
> there...I don't recall installing any other plugins, but we shall
> see.  I'll report my findings soon..thanks again.
> James

So now I'm super confused.  I changed to the below:

conn rw	
leftsubnet=192.168.1.0/24
leftcert=StrongSwanHostCert.pem
right=%any
rightsourceip=172.16.0.1
auto=add 



and added the below top 2 postrouting nat rules:
 pkts bytes target     prot opt
in     out     source               destination         
    0     0 ACCEPT     all  
--  *      *       0.0.0.0/0            0.0.0.0/0            policy
match dir out pol ipsec
    0     0 MASQUERADE  all  
--  *      enp0s31f6  172.16.0.1           0.0.0.0/0           
24519 1646K MASQUERADE  all  
--  *      ppp0    192.168.1.0/24       0.0.0.0/0           


However when I attempt to ping, I see the ping on the ppp0 interface,
and the source isn't 172.16.0.1:
2018-07-25 18:26:37.085194521      8.0.0.1 → 192.168.1.1 ICMP 100 Echo
(ping) request  id=0x0004, seq=1/256, ttl=64


Not exactly sure where to go next.  I did install the extra plugins
that include farp as well.  Thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180725/c206fd83/attachment.html>

More information about the Users mailing list