[strongSwan] access roadwarriors from server's LAN - how?

lejeczek peljasz at yahoo.co.uk
Mon Jun 15 11:00:16 CEST 2020 


On 15/06/2020 08:53, lejeczek wrote:
>
> On 15/06/2020 07:16, Volodymyr Litovka wrote:
>> Hi L.,
>>
>> if you can ping server from client, then, in general, you
>> can ping everything from everywhere.
>>
>> It is a question of routing and firewalls, e.g.
>>
>> - NodeA at LAN should know, that ClientA at VPN resides behind
>> VPNSrv at LAN
>>
>> - ClientA at VPN should allow access to his services from VPN
>> connection
>>
>>
> Could it be that my strongswan does not handle my case well?
> My case is such that:
> a) my server runs a client to a "public" VPN of which end I
> know almost nothing - this part works well.
> b) my server is also the server for my own VPN clients - and
> here is where I cannot access those roadwarriors (but they
> can ping server's LAN)
>
> Here is when a roadwarrior connects okey and server show
> this for table 220:
>
> 10.3.9.1 dev ipsec0 table 220 proto static src 10.3.1.101 (a
> client connected to my server, pool for clients is
> 10.3.9.0/24 while server's LAN is 10.3.1.0/24)
> 172.16.0.0/12 dev ipsec0 table 220 proto static src
> 172.16.32.73 (server is client to a public VPN)
>
> If I'm not asking too much then I wonder - is it the
> strongswan not doing something or doing something wrong but
> can be helped somehow? (config/plugin/hooks etc.)
> Or it's exclusively OS firewall/routing which needs fixing
> outside and independently of strongswan? (but then it would
> sort of defeat the purpose of strongswan in my opinion)
>
> ps. If I give clients the pool of "dhcp" so roadwarriors
> land on the same server's LAN then 'ping' to roadwarriors
> works, but erratically.
>
> many thanks, L
>
Okey, I think I know what is going on, but to resolve in a
way that "all" works will be a sticky wicket for me.

I put masquerading on ipsec0 interface for this one reason -
so some nodes on server's LAN have access to "public" VPN
network when Strongswan is "client" to a public VPN - this
mangles "something" in such a way that Strongswan's own LAN
cannot ping/get to Strongswan's own roadwarriors.

I'll keep fiddling with firewall as I hope there is a
resolution to my case but in the meanwhile if anybody has
any ideas and suggestions - I'll be grateful.

many thanks, L.

>> On 14.06.2020 23:02, lejeczek wrote:
>>> Hi guys,
>>>
>>> I have a strongswan serving clients and all seem to flow
>>> nicely from roadwarriors to server's LAN.
>>> I wonder now, before I'd go into configs and settings, how
>>> to make roadworriors accessible from server's LAN.
>>> Is this sever-client issues or something completely
>>> independent and falls into OS's realm of networking, would
>>> you know?
>>>
>>> many thanks, L.
>>>
>> --
>> Volodymyr Litovka
>>   "Vision without Execution is Hallucination." -- Thomas Edison
>

More information about the Users mailing list