[strongSwan] access roadwarriors from server's LAN - how?

lejeczek peljasz at yahoo.co.uk
Mon Jun 15 09:53:55 CEST 2020

On 15/06/2020 07:16, Volodymyr Litovka wrote:
> Hi L.,
> if you can ping server from client, then, in general, you
> can ping everything from everywhere.
> It is a question of routing and firewalls, e.g.
> - NodeA at LAN should know, that ClientA at VPN resides behind
> VPNSrv at LAN
> - ClientA at VPN should allow access to his services from VPN
> connection
Could it be that my strongswan does not handle my case well?
My case is such that:
a) my server runs a client to a "public" VPN of which end I
know almost nothing - this part works well.
b) my server is also the server for my own VPN clients - and
here is where I cannot access those roadwarriors (but they
can ping server's LAN)

Here is when a roadwarrior connects okey and server show
this for table 220: dev ipsec0 table 220 proto static src (a
client connected to my server, pool for clients is while server's LAN is dev ipsec0 table 220 proto static src (server is client to a public VPN)

If I'm not asking too much then I wonder - is it the
strongswan not doing something or doing something wrong but
can be helped somehow? (config/plugin/hooks etc.)
Or it's exclusively OS firewall/routing which needs fixing
outside and independently of strongswan? (but then it would
sort of defeat the purpose of strongswan in my opinion)

ps. If I give clients the pool of "dhcp" so roadwarriors
land on the same server's LAN then 'ping' to roadwarriors
works, but erratically.

many thanks, L

> On 14.06.2020 23:02, lejeczek wrote:
>> Hi guys,
>> I have a strongswan serving clients and all seem to flow
>> nicely from roadwarriors to server's LAN.
>> I wonder now, before I'd go into configs and settings, how
>> to make roadworriors accessible from server's LAN.
>> Is this sever-client issues or something completely
>> independent and falls into OS's realm of networking, would
>> you know?
>> many thanks, L.
