Hi. I’m trying to do a full tunnel setup between my remote host and central
location (Both private and public internet traffic). Got my VPN setup working
on the first ethernet interface (eth0), however, as soon as I’m trying to get
an other device plugged in the second ethernet port of the VPN gateway (eth1),
it will not work (Reports that the IP address is taken). So I cannot use any
devices on the second ethernet interface. But from the central network, I can
ping the remote IP address (Ping to 172.24.1.1 is successful).
However, if I remove the "rightsubnet=172.24.1.0/24” statement from the server
config, I can now use devices connected to the second ethernet interface of the
remote host but routing is completely dead.
Remote host is a simple OrangePi R1 with 2 ethernet interface. Primary
interface is on DHCP address (and has to be deployed that way) while the second
ethernet interface (that will be used for other users) is using 172.24.1.0/24
subnet. DHCP server can be activated on this host, but right now, it’s not ON.
There is no real need to access the remote network from the main network, so I
would be OK doing some NAT on the remote box. But either would works perfectly.
(Also tried to do NAT on the remote box, but I’m unable to NAT traffic to the
VPN connection at all)
Any ideas to get this setup working reliably?
(Domain names and Public IP addresses were modified.)
Configs:
Server Host:
strictcrlpolicy=yes
uniqueids=no
cachecrls=yes
conn %default
keyexchange=ikev2
keyingtries=4
forceencaps=yes
ikelifetime=2h
lifetime=1h
conn IPSec-IKEv2-OR1
#
ike=aes128gcm16-prfsha512-prfsha256-x25519-curve25519-ecp521!
esp=chacha20poly1305-curve25519-x25519!
#
auto=add
fragmentation=yes
dpdaction=clear
dpddelay=300s
reauth=no
rekey=no
authby=secret
#
left=%any
leftid=@neo.domain.com
leftsubnet=0.0.0.0/0
fragmentation=yes
right=%any
rightid=@or1.domain.com
rightsubnet=172.24.1.0/24
rightsourceip=172.24.11.0/30
ipsec statusall
IPSec-IKEv2-OR1: %any...%any IKEv2, dpddelay=300s
IPSec-IKEv2-OR1: local: [neo.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1: remote: [or1.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1: child: 0.0.0.0/0 === 172.24.1.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
IPSec-IKEv2-OR1[27]: ESTABLISHED 15 hours ago,
172.22.43.25[neo.domain.com]...65.30.10.30[or1.domain.com]
IPSec-IKEv2-OR1[27]: IKEv2 SPIs: 11ab39c596594827_i b99ac8c02c1a67cb_r*,
rekeying disabled
IPSec-IKEv2-OR1[27]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_521
IPSec-IKEv2-OR1{9}: INSTALLED, TUNNEL, reqid 9, ESP in UDP SPIs: cbeb450d_i
c0060d1c_o
IPSec-IKEv2-OR1{9}: CHACHA20_POLY1305, 5278 bytes_i (52 pkts, 474s ago), 15195
bytes_o (49 pkts, 474s ago), rekeying disabled
IPSec-IKEv2-OR1{9}: 0.0.0.0/0 === 172.24.1.0/24
Remote Host:
strictcrlpolicy=yes
uniqueids=no
cachecrls=yes
conn %default
keyexchange=ikev2
keyingtries=4
forceencaps=yes
ikelifetime=2h
lifetime=1h
conn IPSec-IKEv2-OR1
#
#
ike=aes128gcm16-prfsha512-prfsha256-x25519-curve25519-ecp521!
esp=chacha20poly1305-curve25519-x25519!
#
auto=start
fragmentation=yes
dpdaction=clear
dpddelay=300s
reauth=no
rekey=no
authby=secret
#
left=%any
leftid=@or1.domain.com
leftsubnet=172.24.1.0/24,172.24.11.0/30
leftsourceip=%config
leftupdown=/etc/nat_updown
#
fragmentation=yes
right=some_dynamicDNS.duckdns.org
rightid=@neo.domain.com
rightsubnet=0.0.0.0/0
ipsecc statusall:
IPSec-IKEv2-OR1: %any...some_dynamicDNS.duckdns.org IKEv2, dpddelay=300s
IPSec-IKEv2-OR1: local: [or1.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1: remote: [neo.domain.com] uses pre-shared key authentication
IPSec-IKEv2-OR1: child: 172.24.1.0/24 172.24.11.0/30 === 0.0.0.0/0 TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
IPSec-IKEv2-OR1[1]: ESTABLISHED 14 hours ago,
172.22.43.80[or1.domain.com]...65.10.20.40[neo.domain.com]
IPSec-IKEv2-OR1[1]: IKEv2 SPIs: 11ab39c596594827_i* b99ac8c02c1a67cb_r,
rekeying disabled
IPSec-IKEv2-OR1[1]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_512/ECP_521
IPSec-IKEv2-OR1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0060d1c_i
cbeb450d_o
IPSec-IKEv2-OR1{1}: CHACHA20_POLY1305, 10881 bytes_i (46 pkts, 363s ago), 5278
bytes_o (52 pkts, 363s ago), rekeying disabled
IPSec-IKEv2-OR1{1}: 172.24.1.0/24 === 0.0.0.0/0
