[strongSwan] Roadwarrior unable to access LAN with local_ts = 0.0.0.0/0 specified on the server
Glen Huang
heyhgl at gmail.com
Wed Jan 6 01:36:46 CET 2021
Installing farp fixed it.
> On Jan 5, 2021, at 11:52 AM, Glen Huang <heyhgl at gmail.com> wrote:
>
> I have working LAN on 192.168.1.x, and a IKEv2 server on 192.168.1.1. A roadwarrior is able to connect to it, and is correctly assigned a LAN IP 192.168.1.50, and the strongswan server log says the TS pair is 0.0.0.0/0 === 192.168.1.50/32
>
> However, what the roadwarrior can do is extremely limited:
> 1. It can successfully ping 192.168.1.1, but connecting to 192.168.1.1 is immediately rejected, e.g., ssh to port 22 or dns request to port 53.
> 2. It can’t access other machines on the LAN.
> 3. It can’t access the internet.
>
> LAN machines can access 192.168.1.1 and the internet without issues.
>
> I thought a local_ts = 0.0.0.0/0 was going to put roadwarriors as equal citizens as the machines on the LAN. I wonder what did I miss?
>
> 192.168.1.1 is both the gateway and IKEv2 server, not sure if that matters.
>
> Here is my swanctl.conf:
>
> connections {
> main {
> version = 2
> pools = main
> proposals = aes128gcm16-prfsha256-ecp256,aes128gcm16-prfsha256-x25519,aes256gcm16-prfsha384-ecp384,aes256gcm16-prfsha384-x25519,chacha20poly1305-prfsha384-x25519
> send_certreq = no
> childless = never
> local {
> auth = pubkey
> }
> remote {
> auth = pubkey
> }
> children {
> child {
> local_ts = 0.0.0.0/0
> esp_proposals = aes128gcm16-ecp256,aes128gcm16-x25519,aes256gcm16-ecp384,aes256gcm16-x25519,chacha20poly1305-x25519
> hw_offload = auto
> }
> }
> }
> }
>
> pools {
> main {
> addrs = 192.168.1.50 - 192.168.1.99
> dns = 192.168.1.1
> }
> }
>
More information about the Users
mailing list