[strongSwan] Site-to-site where LAN subnet of each side is WireGuard
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Feb 11 11:24:35 CET 2020
Hello Quân,
Please provide the outputs of all commands as shown on the HelpRequests[1] page.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Am 11.02.20 um 11:15 schrieb Nguyễn Hồng Quân:
> Hi, I'm trying to learn StrongSwan
>
> I have two VPS, quan.hoabinh.vn <http://quan.hoabinh.vn> (103.92.28.225) and parking.nanochip.io <http://parking.nanochip.io> (104.248.153.183) where I want to establish a site-to-site tunnel like this diagram:
>
> 192.168.12.0/24 <http://192.168.12.0/24> -- | 103.92.28.225 | === | 104.248.153.183 | -- 192.168.18.0/24 <http://192.168.18.0/24>
> moon-net moon sun sun-net
>
> Under each server is a LAN network built by WireGuard (192.168.12.0/24 <http://192.168.12.0/24> and 192.168.18.0/24 <http://192.168.18.0/24>).
>
> This is the config on Moon server:
>
> # File: /etc/swanctl/conf.d/moon.conf
> connections {
> net-net {
> remote_addrs = 104.248.153.183
> local {
> auth = pubkey
> certs = fullchain.pem
> }
> remote {
> auth = pubkey
> }
> children {
> net-net {
> local_ts = 192.168.12.0/24 <http://192.168.12.0/24>
> remote_ts = 192.168.18.0/24 <http://192.168.18.0/24>
> updown = /usr/lib/ipsec/_updown iptables
> start_action = trap
> }
> }
> }
> }
>
> And config on Sun server:
>
> # File: /etc/swanctl/conf.d/sun.conf
> connections {
> net-net {
> remote_addrs = 103.92.28.225
> local {
> auth = pubkey
> certs = fullchain.pem
> }
> remote {
> auth = pubkey
> }
> children {
> net-net {
> local_ts = 192.168.18.0/24 <http://192.168.18.0/24>
> remote_ts = 192.168.12.0/24 <http://192.168.12.0/24>
> updown = /usr/lib/ipsec/_updown iptables
> start_action = trap
> }
> }
> }
> }
> The certificates are supplied by Let's Encrypt SSL.
>
> The tunnel seems to be established successfully, but from Moon server, I cannot ping 192.168.18.1, which is Sun's IP address in WireGuard VPN (no response).
>
> This is the log, observed on Sun server (target of ping):
>
> https://paste.ubuntu.com/p/j7HBMh2r8Y/
>
> iptables rules on Moon server:
>
> $ sudo iptables -S -t nat
> [sudo] password for quan:
> -P PREROUTING ACCEPT
> -P INPUT ACCEPT
> -P OUTPUT ACCEPT
> -P POSTROUTING ACCEPT
> -A POSTROUTING -o ens18 -j MASQUERADE
>
> $ sudo iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A FORWARD -s 192.168.18.0/24 <http://192.168.18.0/24> -d 192.168.12.0/24 <http://192.168.12.0/24> -i ens18 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.12.0/24 <http://192.168.12.0/24> -d 192.168.18.0/24 <http://192.168.18.0/24> -o ens18 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -i wg0 -j ACCEPT
> Please help to make ping work.
>
>
> --
> Quân
>
> Nguyễn Hồng Quân
> ☎ 093 9030 338
> Facebook: ng.hong.quan
> 🌏 quan.hoabinh.vn <http://quan.hoabinh.vn> agriconnect.vn <http://agriconnect.vn>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200211/78f5a31c/attachment-0001.sig>
More information about the Users
mailing list