[strongSwan] Simple road warrior setup no longer routing after upgrade
jlay at slave-tothe-box.net
Sun Jul 29 15:53:12 CEST 2018
On Wed, 2018-07-25 at 18:33 -0600, James Lay wrote:
> On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote:
> > On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
> > So I moved to Strongswan 5.6.2 during a distribution upgrade.
> > What distribution? What was the previous version? Do you still
> > havethe same plugins installed and enabled?
> > My simplesetup no longer routes back to the client (I can see the
> > incoming pingson the server, but nothing goes back). I establish a
> > tunnel fine...mysetup looks like this:
> > external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
> > all I need is to have a connected device able to
> > access192.168.1.1...and it's only a single user.
> > Please read . From the involved IPs I guess you used the farp
> > pluginbefore, so make sure you still have that installed and
> > loaded.
> > Regards,Tobias
> > https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingA
> > ndSplitTunneling
> > Thanks Tobias...I have access to the old server so I'll see what's
> > there...I don't recall installing any other plugins, but we shall
> > see. I'll report my findings soon..thanks again.
> > James
> So now I'm super confused. I changed to the below:
> conn rw
> and added the below top 2 postrouting nat rules:
> pkts bytes target prot opt
> in out source destination
> 0 0 ACCEPT all
> -- * * 0.0.0.0/0 0.0.0.0/0 policy
> match dir out pol ipsec
> 0 0 MASQUERADE all
> -- * enp0s31f6 172.16.0.1 0.0.0.0/0
> 24519 1646K MASQUERADE all
> -- * ppp0 192.168.1.0/24 0.0.0.0/0
> However when I attempt to ping, I see the ping on the ppp0 interface,
> and the source isn't 172.16.0.1:
> 2018-07-25 18:26:37.085194521 184.108.40.206 → 192.168.1.1 ICMP 100
> Echo (ping) request id=0x0004, seq=1/256, ttl=64
> Not exactly sure where to go next. I did install the extra plugins
> that include farp as well. Thank you.
Anything on this? in testing I made this change:
Pinging from the client connected device gets me this:
1 2018-07-29 07:50:27.606525877 220.127.116.11 → 192.168.1.1 ICMP 100
Echo (ping) request id=0x000f, seq=1/256, ttl=64
Something seems very broken. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users