[strongSwan] Simple road warrior setup no longer routing after upgrade

James Lay jlay at slave-tothe-box.net
Sun Jul 29 15:53:12 CEST 2018 

On Wed, 2018-07-25 at 18:33 -0600, James Lay wrote:
> On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote:
> > On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
> > So I moved to Strongswan 5.6.2 during a distribution upgrade.
> > What distribution?  What was the previous version?  Do you still
> > havethe same plugins installed and enabled?
> > My simplesetup no longer routes back to the client (I can see the
> > incoming pingson the server, but nothing goes back). I establish a
> > tunnel fine...mysetup looks like this:
> > 
> > external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
> > all I need is to have a connected device able to
> > access192.168.1.1...and it's only a single user.
> > Please read [1].  From the involved IPs I guess you used the farp
> > pluginbefore, so make sure you still have that installed and
> > loaded.
> > Regards,Tobias
> > [1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingA
> > ndSplitTunneling
> > Thanks Tobias...I have access to the old server so I'll see what's
> > there...I don't recall installing any other plugins, but we shall
> > see.  I'll report my findings soon..thanks again.
> > James
> 
> So now I'm super confused.  I changed to the below:
> 
> conn rw	
> leftsubnet=192.168.1.0/24
> leftcert=StrongSwanHostCert.pem
> right=%any
> rightsourceip=172.16.0.1
> auto=add 
> 
> 
> 
> and added the below top 2 postrouting nat rules:
>  pkts bytes target     prot opt
> in     out     source               destination         
>     0     0 ACCEPT     all  
> --  *      *       0.0.0.0/0            0.0.0.0/0            policy
> match dir out pol ipsec
>     0     0 MASQUERADE  all  
> --  *      enp0s31f6  172.16.0.1           0.0.0.0/0           
> 24519 1646K MASQUERADE  all  
> --  *      ppp0    192.168.1.0/24       0.0.0.0/0           
> 
> 
> However when I attempt to ping, I see the ping on the ppp0 interface,
> and the source isn't 172.16.0.1:
> 2018-07-25 18:26:37.085194521      8.0.0.1 → 192.168.1.1 ICMP 100
> Echo (ping) request  id=0x0004, seq=1/256, ttl=64
> 
> 
> Not exactly sure where to go next.  I did install the extra plugins
> that include farp as well.  Thank you.
> 
> James

Anything on this?  in testing I made this change:

rightsourceip=10.10.10.0/24

Pinging from the client connected device gets me this:

1 2018-07-29 07:50:27.606525877     8.0.10.1 → 192.168.1.1 ICMP 100
Echo (ping) request  id=0x000f, seq=1/256, ttl=64


Something seems very broken.  Thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180729/91c8f3bd/attachment.html>

More information about the Users mailing list