[strongSwan] Site-to-site where LAN subnet of each side is WireGuard

Nguyễn Hồng Quân ng.hong.quan at gmail.com
Tue Feb 11 11:15:34 CET 2020 

Hi, I'm trying to learn StrongSwan

I have two VPS, quan.hoabinh.vn (103.92.28.225) and parking.nanochip.io
(104.248.153.183) where I want to establish a site-to-site tunnel like this
diagram:

192.168.12.0/24 -- | 103.92.28.225 | === | 104.248.153.183 | --
192.168.18.0/24
  moon-net               moon                    sun               sun-net

Under each server is a LAN network built by WireGuard (192.168.12.0/24 and
192.168.18.0/24).

This is the config on Moon server:

# File: /etc/swanctl/conf.d/moon.conf
connections {
        net-net {
                remote_addrs = 104.248.153.183
                local {
                        auth = pubkey
                        certs = fullchain.pem
                }
                remote {
                        auth = pubkey
                }
                children {
                        net-net {
                                local_ts = 192.168.12.0/24
                                remote_ts = 192.168.18.0/24
                                updown = /usr/lib/ipsec/_updown iptables
                                start_action = trap
                        }
                }
        }
}

And config on Sun server:

# File: /etc/swanctl/conf.d/sun.conf
connections {
        net-net {
                remote_addrs = 103.92.28.225
                local {
                        auth = pubkey
                        certs = fullchain.pem
                }
                remote {
                        auth = pubkey
                }
                children {
                        net-net {
                                local_ts = 192.168.18.0/24
                                remote_ts = 192.168.12.0/24
                                updown = /usr/lib/ipsec/_updown iptables
                                start_action = trap
                        }
                }
        }
}
The certificates are supplied by Let's Encrypt SSL.

The tunnel seems to be established successfully, but from Moon server, I
cannot ping 192.168.18.1, which is Sun's IP address in WireGuard VPN (no
response).

This is the log, observed on Sun server (target of ping):

https://paste.ubuntu.com/p/j7HBMh2r8Y/

iptables rules on Moon server:

$ sudo iptables -S -t nat
[sudo] password for quan:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o ens18 -j MASQUERADE

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 192.168.18.0/24 -d 192.168.12.0/24 -i ens18 -m policy --dir
in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.12.0/24 -d 192.168.18.0/24 -o ens18 -m policy --dir
out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
Please help to make ping work.


-- 
Quân

Nguyễn Hồng Quân
☎ 093 9030 338
Facebook: ng.hong.quan
🌏 quan.hoabinh.vn  agriconnect.vn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200211/c22ae8ea/attachment.html>

More information about the Users mailing list