[strongSwan] Routing everything through VPN using 2 separate ethernet interfaces.

Marc Sauvé powermarcx at gmail.com
Mon Nov 12 17:29:17 CET 2018 

Hi. I’m trying to do a full tunnel setup between my remote host and central location (Both private and public internet traffic). Got my VPN setup working on the first ethernet interface (eth0), however, as soon as I’m trying to get an other device plugged in the second ethernet port of the VPN gateway (eth1), it will not work (Reports that the IP address is taken). So I cannot use any devices on the second ethernet interface. But from the central network, I can ping the remote IP address (Ping to 172.24.1.1 is successful). 

However, if I remove the "rightsubnet=172.24.1.0/24” statement from the server config, I can now use devices connected to the second ethernet interface of the remote host but routing is completely dead. 

Remote host is a simple OrangePi R1 with 2 ethernet interface. Primary interface is on DHCP address (and has to be deployed that way) while the second ethernet interface (that will be used for other users) is using 172.24.1.0/24 subnet. DHCP server can be activated on this host, but right now, it’s not ON. 

There is no real need to access the remote network from the main network, so I would be OK doing some NAT on the remote box. But either would works perfectly. (Also tried to do NAT on the remote box, but I’m unable to NAT traffic to the VPN connection at all)

Any ideas to get this setup working reliably?



(Domain names and Public IP addresses were modified.)

Configs:

Server Host:

    strictcrlpolicy=yes
    uniqueids=no
    cachecrls=yes

conn %default
	keyexchange=ikev2
	keyingtries=4
	forceencaps=yes
	ikelifetime=2h
        lifetime=1h

conn IPSec-IKEv2-OR1
#
        ike=aes128gcm16-prfsha512-prfsha256-x25519-curve25519-ecp521!
        esp=chacha20poly1305-curve25519-x25519!
#
    auto=add
    fragmentation=yes
    dpdaction=clear
    dpddelay=300s
    reauth=no
    rekey=no
    authby=secret
#
    left=%any
    leftid=@neo.domain.com
    leftsubnet=0.0.0.0/0

    fragmentation=yes
    right=%any
    rightid=@or1.domain.com
    rightsubnet=172.24.1.0/24
    rightsourceip=172.24.11.0/30

ipsec statusall


IPSec-IKEv2-OR1:  %any...%any  IKEv2, dpddelay=300s
IPSec-IKEv2-OR1:   local:  [neo.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1:   remote: [or1.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1:   child:  0.0.0.0/0 === 172.24.1.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
IPSec-IKEv2-OR1[27]: ESTABLISHED 15 hours ago, 172.22.43.25[neo.domain.com]...65.30.10.30[or1.domain.com]
IPSec-IKEv2-OR1[27]: IKEv2 SPIs: 11ab39c596594827_i b99ac8c02c1a67cb_r*, rekeying disabled
IPSec-IKEv2-OR1[27]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_521
IPSec-IKEv2-OR1{9}:  INSTALLED, TUNNEL, reqid 9, ESP in UDP SPIs: cbeb450d_i c0060d1c_o
IPSec-IKEv2-OR1{9}:  CHACHA20_POLY1305, 5278 bytes_i (52 pkts, 474s ago), 15195 bytes_o (49 pkts, 474s ago), rekeying disabled
IPSec-IKEv2-OR1{9}:   0.0.0.0/0 === 172.24.1.0/24


Remote Host:

   strictcrlpolicy=yes
    uniqueids=no
    cachecrls=yes

conn %default
        keyexchange=ikev2
        keyingtries=4
        forceencaps=yes
        ikelifetime=2h
        lifetime=1h


conn IPSec-IKEv2-OR1
#
#
        ike=aes128gcm16-prfsha512-prfsha256-x25519-curve25519-ecp521!
        esp=chacha20poly1305-curve25519-x25519!

#
    auto=start
    fragmentation=yes
    dpdaction=clear
    dpddelay=300s
    reauth=no
    rekey=no
    authby=secret
#
    left=%any
    leftid=@or1.domain.com
    leftsubnet=172.24.1.0/24,172.24.11.0/30
    leftsourceip=%config
    leftupdown=/etc/nat_updown
#
    fragmentation=yes
    right=some_dynamicDNS.duckdns.org
    rightid=@neo.domain.com 
    rightsubnet=0.0.0.0/0


ipsecc statusall:

IPSec-IKEv2-OR1:  %any...some_dynamicDNS.duckdns.org  IKEv2, dpddelay=300s
IPSec-IKEv2-OR1:   local:  [or1.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1:   remote: [neo.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1:   child:  172.24.1.0/24 172.24.11.0/30 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
IPSec-IKEv2-OR1[1]: ESTABLISHED 14 hours ago, 172.22.43.80[or1.domain.com]...65.10.20.40[neo.domain.com]
IPSec-IKEv2-OR1[1]: IKEv2 SPIs: 11ab39c596594827_i* b99ac8c02c1a67cb_r, rekeying disabled
IPSec-IKEv2-OR1[1]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_521
IPSec-IKEv2-OR1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0060d1c_i cbeb450d_o
IPSec-IKEv2-OR1{1}:  CHACHA20_POLY1305, 10881 bytes_i (46 pkts, 363s ago), 5278 bytes_o (52 pkts, 363s ago), rekeying disabled
IPSec-IKEv2-OR1{1}:   172.24.1.0/24 === 0.0.0.0/0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181112/ce903da1/attachment-0001.html>

More information about the Users mailing list