[strongSwan] access roadwarriors from server's LAN - how?

lejeczek peljasz at yahoo.co.uk
Mon Jun 15 09:53:55 CEST 2020



On 15/06/2020 07:16, Volodymyr Litovka wrote:
>
> Hi L.,
>
> if you can ping server from client, then, in general, you
> can ping everything from everywhere.
>
> It is a question of routing and firewalls, e.g.
>
> - NodeA at LAN should know, that ClientA at VPN resides behind
> VPNSrv at LAN
>
> - ClientA at VPN should allow access to his services from VPN
> connection
>
>
Could it be that my strongswan does not handle my case well?
My case is such that:
a) my server runs a client to a "public" VPN of which end I
know almost nothing - this part works well.
b) my server is also the server for my own VPN clients - and
here is where I cannot access those roadwarriors (but they
can ping server's LAN)

Here is when a roadwarrior connects okey and server show
this for table 220:

10.3.9.1 dev ipsec0 table 220 proto static src 10.3.1.101 (a
client connected to my server, pool for clients is
10.3.9.0/24 while server's LAN is 10.3.1.0/24)
172.16.0.0/12 dev ipsec0 table 220 proto static src
172.16.32.73 (server is client to a public VPN)

If I'm not asking too much then I wonder - is it the
strongswan not doing something or doing something wrong but
can be helped somehow? (config/plugin/hooks etc.)
Or it's exclusively OS firewall/routing which needs fixing
outside and independently of strongswan? (but then it would
sort of defeat the purpose of strongswan in my opinion)

ps. If I give clients the pool of "dhcp" so roadwarriors
land on the same server's LAN then 'ping' to roadwarriors
works, but erratically.

many thanks, L


> On 14.06.2020 23:02, lejeczek wrote:
>> Hi guys,
>>
>> I have a strongswan serving clients and all seem to flow
>> nicely from roadwarriors to server's LAN.
>> I wonder now, before I'd go into configs and settings, how
>> to make roadworriors accessible from server's LAN.
>> Is this sever-client issues or something completely
>> independent and falls into OS's realm of networking, would
>> you know?
>>
>> many thanks, L.
>>
> --
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison




More information about the Users mailing list