Hey Chris,
Thanks for your reply. I checked presence of a gateway route with "ip
route get 192.168.10.0/24" and got the output
"192.168.10.1 dev eth0 src 10.137.0.10 uid 0" so I guess a route is set.
I also tried calling qubes-setup-dnat-to-ns and checked connection
again, but it seems like nothing happened. Do I have to run it on
proxyVM (as resolv.conf is only altered in this vm)?
I had another idea regarding network devices. If I list all devices with
ifconfig, only eth0 and lo are shown. Keeping in mind that every AppVM
has its own nat device, I looked up any net device with "cat
/proc/net/dev" and then another device "vif17.0" showed up. Does this
interfere with routing? Do I have to setup rules regarding this device?
Regards,
Supraleiter
Am 05.11.2019 22:29 schrieb Chris Laprise:
On 11/5/19 8:41 AM, Supraleiter wrote:
Hello Guys,
I have a problem concerning ipsec routing in qubes.
After setup of a network providing app-vm (former “Proxy-VM”) with a
strongswan client, I try to connect to a publicly available ikev2 vpn
server over WAN. The client tells me that a connection is established
and everything seems to work fine, but when trying to ping any host in
the private subnet, nothing happens.
I already tried to add following suggested iptable rules in proxyVM
(despite the fact that I believe it is not necessary for the client
but for a gateway):
iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -m policy
--dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j
ACCEPT
I also tried to use “sys-net” VM as network provider as alternative to
“sys-firewall” to circumvent any firewall related problem, but it does
not work, too.
Are there any other (maybe Qubes specific) settings I have to set up
to make the proxyVM send traffic over ipsec tunnel (strongswan does
not install a virtual network device)?
Several config files and shell outputs are given below.
Thank you very much.
Hi,
I'm not familiar with IPsec routing policies, but have you checked the
routing table after connecting? Other VPN clients declare tunnel IPs
as gateways by default, and I'm wondering if a gateway route is what's
missing here.
Also make sure your initial ping attempts use the subnet's IP address
and not host names.
And after resolv.conf is modified, you should run
'/usr/lib/qubes/qubes-setup-dnat-to-ns' to setup nat for downstream VM
DNS.
Finally, once you get the link working, you may want to setup an
anti-leak barrier in forwarding, such as what is shown in the Qubes
Network Manager VPN doc (i.e. block all forwarding to eth0).
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/44653856099d7209e7b43c21d7de3633%40posteo.de.
