[strongSwan] Help with setup

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Feb 1 22:17:44 CET 2022 

Hi

If your setup is as below:


   (192.168.127.2)PC1----(127.254)[Home]====ipsec
tunnel====[workrouter](126.254)-----PC2(192.168.126.2)

1. Then, with the tunnel established (or send traffic from PC1 to PC2 or
vice-versa to bringup the tunnel), try with traffic (ping, etc) between PC1
and PC2

2. I see that in the logs the Ping is between 192.168.127.254 and
192.168.126.254...meaning you are pinging from homerouter to the
internal-lan-interface ipaddr of workrouter
For this specific traffic-scenario (wherein you are accessing the
internal-interface of the ipsec-peergw)  to work, you will need to also
additionally use the option below in the children section of swanctl on
both gateways

hostaccess = yes

Note: This basically corresponds to similar option used in "ipsec.conf"
files - "lefthostaccess=yes"

This will result in 2 permit rules being added by the updown script in
INPUT and OUTPUT chains, and ONLY then you will be able to
ping/other-supported-traffic to the internal-lan-interface of the remote
ipsec-peergw (from local-ipsec-peergw or from the lan-hosts behind-it )


thanks & regards





On Wed, Feb 2, 2022 at 1:57 AM Michael Deignan <michael.p.deignan at gmail.com>
wrote:

> Hello Rajiv, thanks for the suggestions.
>
> I added your suggested rules at the start of each chain. I also opted to
> add another rule at the bottom of the chain, so I could see if in fact
> anything was being rejected.
>
> -A INPUT -j LOG --log-prefix "IPv4-In-Drop: "
> -A INPUT -j DROP
>
> Once I added the log statement, I can see packets being dropped in my
> syslog:
>
> Feb  1 15:13:23 WorkRouter kernel: IPv4-In-Drop: IN=Internet OUT=
> MAC=bc:30:5b:e3:9f:28:20:b3:99:cc:c2:24:08:00 SRC=192.168.127.254
> DST=192.168.126.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37930 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=23320 SEQ=25
>
> At this point I added similar logging rules to both the OUTPUT and FORWARD
> chains so I could see any forward or output drops.
>
> I also added
>
> -A INPUT -s 192.168.127.0/24 -d 192.168.126.0/24 -j ACCEPT
>
> to the input chain. I also added a similar rules on the home router for
> logging and the reverse traffic flow.
>
> Sadly, this had the effect of making the input reject logging messages
> disappear on the ping, but no further logging messages about rejected
> packets despite the fact of still not being able to ping or ssh, etc. from
> one subnet to the other.
>
> I think I am getting closer, but obviously I am still missing something,
> somewhere to tie it all together.
>
>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220202/c17fec9c/attachment.html>

More information about the Users mailing list