Re: [strongSwan] Accessing VPN client from private network

[Tobias Brunner]

Hi Marco,

> FARP is configured on both client and gateway, and I can reach
> all the internal network from the vpn client (ubuntu linux).
> ...
> Still pinging the vpn client from the internal network does not work.

You mean you are able to e.g. ping hosts in the remote network from the
client (i.e. you get a response from an IP other than 192.168.1.10,
which belongs to the server)?  But if you try to ping the client's IP
(192.168.1.20) from a host in that network you don't get a reply?  Try
debugging this with tcpdump/Wireshark on the hosts in that network,
check if the ARP packets are correctly sent/received and where the ICMPs
requests go etc.  Also check your firewall/NAT rules.

Regards,
Tobias

Re: [strongSwan] Accessing VPN client from private network

[Marco Spinola Durante]

Hi Tobias,

thanks. FARP is configured on both client and gateway, and I can reach all the 
internal network from the vpn client (ubuntu linux). The DHCP server is not on 
the gateway.
Still pinging the vpn client from the internal network does not work. Is there 
any other config to do? 

VPN CLIENT:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

conn vpn
right=%me.domain.com
rightid=server
rightsubnet=192.168.1.0/24
rightauth=psk
left=%any
leftid=client
leftauth=eap-mschapv2
leftsourceip=%config
auto=add

Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-32-generic, x86_64):
  uptime: 27 minutes, since Feb 14 23:19:19 2018
  malloc: sbrk 3276800, mmap 532480, used 1419840, free 1856960
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 3
  loaded plugins: charon test-vectors unbound ldap pkcs11 aesni aes rc2 sha2 
sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey 
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt 
af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl 
soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp 
stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic 
eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam 
xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip 
error-notify certexpire led radattr addrblock unity
Listening IP addresses:
  X.X.X.X
Connections:
vpn:  %any…me.domain.com,0.0.0.0/0,::/0  IKEv1/2
vpn:   local:  [client] uses EAP_MSCHAPV2 authentication
vpn:   remote: [server] uses pre-shared key authentication
vpn:   child:  dynamic === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
vpn[1]: ESTABLISHED 27 minutes ago, X.X.X.X[server]…Y.Y.Y.Y[server]
vpn[1]: IKEv2 SPIs: 66945fc928466229_i* 825b15d6f370bd5e_r, EAP 
reauthentication in 2 hours
vpn[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
vpn{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7fc94f7_i cb625e29_o
vpn{1}:  AES_CBC_128/HMAC_SHA1_96, 1512 bytes_i (18 pkts, 750s ago), 2940 
bytes_o (35 pkts, 750s ago), rekeying in 14 minutes
vpn{1}:   192.168.1.20/32 === 192.168.1.0/24

VPN SERVER/GATEWAY:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
strictcrlpolicy=no
uniqueids = no

conn server-IKEV2
auto=add
dpdaction=clear
keyexchange=ikev2

#left
#left=%any
left=%defaultroute
leftsubnet=192.168.1.0/24
leftfirewall=yes
leftauth=psk
leftid=server

#right
right=%any
rightsourceip=192.168.1.20 (tried also %dhcp but no change)
rightauth=eap-mschapv2
rightid=client

Status of IKE charon daemon (strongSwan 5.2.1, Linux 4.9.35-v7+, armv7l):
  uptime: 23 minutes, since Feb 14 23:17:54 2018
  malloc: sbrk 1216512, mmap 0, used 224680, free 991832
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 9
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl 
fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default 
farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius 
eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp 
lookip error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
  192.168.1.20: 1/1/0
Listening IP addresses:
  192.168.1.10
Connections:
   iOS-IKEV2:  %any...%any  IKEv2, dpddelay=30s
   iOS-IKEV2:   local:  [server] uses pre-shared key authentication
   iOS-IKEV2:   remote: [client] uses EAP_MSCHAPV2 authentication
   iOS-IKEV2:   child:  192.168.1.0/24 === dynamic TUNNEL, dpdaction=clear
server-IKEV2:  %any...%any  IKEv2, dpddelay=30s
server-IKEV2:   local:  [server] uses pre-shared key authentication
server-IKEV2:   remote: [client] uses EAP_MSCHAPV2 authentication
server-IKEV2:   child:  192.168.1.0/24 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
server-IKEV2[4]: ESTABLISHED 21 minutes ago, 
192.168.1.10[server]...XXX.XXX.XXX.XXX[client]
server-IKEV2[4]: IKEv2 SPIs: 29624628c95f9466_i 5ebd70f3d6155b82_r*, pre-shared 
key reauthentication in 2 hours
server-IKEV2[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
server-IKEV2{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cb625e29_i c7fc94f7_o
server-IKEV2{1}:  AES_CBC_128/HMAC_SHA1_96, 2940 bytes_i (35 pkts, 402s ago), 
1512 bytes_o (18 pkts, 402s ago), rekeying in 21 minutes
server-IKEV2{1}:   192.168.1.0/24 === 192.168.1.20/32 


>

Re: [strongSwan] Accessing VPN client from private network

[Tobias Brunner]

Hi Marco,

> VPN Client -> Gateway -> internal network with some servers
> The VPN gets an IP from DHCP Server (i.e 192.168.1.100)
> Gateway has IP 192.168.1.10, can ping the VPN client 192.168.1.100
> Pinging the VPN client from a server in the network (e.g. 192.168.1.20) does 
> not work.
> 
> What am I missing?

See [1].

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-LAN