[strongSwan] Roadwarrior unable to access LAN with local_ts = 0.0.0.0/0 specified on the server
Glen Huang
heyhgl at gmail.com
Tue Jan 5 04:52:25 CET 2021
I have working LAN on 192.168.1.x, and a IKEv2 server on 192.168.1.1. A roadwarrior is able to connect to it, and is correctly assigned a LAN IP 192.168.1.50, and the strongswan server log says the TS pair is 0.0.0.0/0 === 192.168.1.50/32
However, what the roadwarrior can do is extremely limited:
1. It can successfully ping 192.168.1.1, but connecting to 192.168.1.1 is immediately rejected, e.g., ssh to port 22 or dns request to port 53.
2. It can’t access other machines on the LAN.
3. It can’t access the internet.
LAN machines can access 192.168.1.1 and the internet without issues.
I thought a local_ts = 0.0.0.0/0 was going to put roadwarriors as equal citizens as the machines on the LAN. I wonder what did I miss?
192.168.1.1 is both the gateway and IKEv2 server, not sure if that matters.
Here is my swanctl.conf:
connections {
main {
version = 2
pools = main
proposals = aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-x25519,aes256gcm16-prfsha384-ecp384,aes256gcm16-prfsha384-x25519,chacha20poly1305-prfsha384-x25519
send_certreq = no
childless = never
local {
auth = pubkey
}
remote {
auth = pubkey
}
children {
child {
local_ts = 0.0.0.0/0
esp_proposals = aes128gcm16-ecp256,aes128gcm16-x25519,aes256gcm16-ecp384,aes256gcm16-x25519,chacha20poly1305-x25519
hw_offload = auto
}
}
}
}
pools {
main {
addrs = 192.168.1.50 - 192.168.1.99
dns = 192.168.1.1
}
}
More information about the Users
mailing list