[strongSwan] Site-to-site where LAN subnet of each side is WireGuard

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Feb 11 19:51:04 CET 2020

Hello Quân,

Configs look good.
Make sure wireguard is configured correctly (and so are the clients of each server) to route the packets to the other server's subnet over the WG server.
Also, later you might need to use some TCPMSS fixing and/or MTU/MSS setting of the routes by using charon.plugins.kernel_netlink.mss/mtu to make TCP work.
Dump traffic on wg0 of the other server while you ping one of its wg clients from this server. That should give you an idea regarding how far the packets make it.
You can also configure logging of martians via sysctl and use an iptables TRACE rule to see the processing of the packets in your iptables rule set.

Kind regards


Am 11.02.20 um 17:59 schrieb Nguyễn Hồng Quân:
> Update:
> After I added this to each server:
> iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
> I can ping Sun's WireGuard IP ( from Moon and vice versa.
> But I cannot ping other IPs in the WireGuard LAN yet (cannot ping from Moon, even that the machine is up).
> On Tue, Feb 11, 2020 at 11:48 PM Nguyễn Hồng Quân <ng.hong.quan at gmail.com <mailto:ng.hong.quan at gmail.com>> wrote:
>     Hi Noel
>     Here are all the log and swanctl config (except the certificates).
>     I create the connection config in /etc/swanctl/conf.d/, without modifying the default /etc/swanctl/swanctl.conf (keep it as original as packaged by Ubuntu 19.10).
>     https://bitbucket.org/snippets/hongquan/ynzxjg
> -- 
> Quân

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200211/52c84954/attachment.sig>

More information about the Users mailing list