Hello I have been struggling to set up a Strongswan gateway for two weeks now with no success and I'm now at my wits end.
I run a Ubuntu server with two network interfaces. One interface (eth0) is connected to a Sky router with DMZ enabled to the server and the other manages a local LAN (br-lan). I want to set up a roadwarrior configuration in which the remote devices (windows 7, windows 8 and android) can connect via strongswan and act as being local peers in the lan. The network setup looks like this: RoadWarrior(x.x.x.a) <==> RemoteROUTER<x.x.x.b>/<y.y.y.y> <==INTERNET==> SkyRouter (DDNS and DMZ) <z.z.z.z>/<192.168.47.1/30> <==> Server <192.168.47.2>/<192.168.7.1> <==> LAN I am using the dhcp and farp plugins and I have forwarding enabled in sysctl.conf (need it for NAT anyways). My current firewall rules are all set to ACCEPT to allow testing. I have restricted strongswan to bind only to the LAN interface of the server <192.168.7.1>. There are also 4 port forwarding rules for the IPSEC ports: iptables -A PREROUTING -p udp -d $EXTIP --dport 500 -j DNAT --to-destination 192.168.7.1:500 iptables -A PREROUTING -p udp -d $EXTIP --dport 4500 -j DNAT --to-destination 192.168.7.1:4500 iptables -A PREROUTING -p 50 -d $EXTIP -j DNAT --to-destination 192.168.7.1 iptables -A PREROUTING -p 51 -d $EXTIP -j DNAT --to-destination 192.168.7.1 My routing table is as follows: default 192.168.47.1 0.0.0.0 UG 0 0 0 eth0 192.168.7.0 * 255.255.255.0 U 0 0 0 br-lan 192.168.47.0 * 255.255.255.252 U 0 0 0 eth0 ipsec.conf is: config setup charondebug = "dmn 0,mgr 1,ike 1,chd 1,job 1,cfg 1,knl 1,net 1,tls 1,lib 0,enc 0,tnc 0" cachecrls=yes uniqueids=yes conn roadwarrior-eap keyexchange=ikev2 leftauth=pubkey leftcert=vpn-Cert.pem leftid=dnsname.com left=%any leftsubnet=0.0.0.0/0 leftfirewall=yes lefthostaccess=yes right=%any rightsourceip=%dhcp rightauth=eap-mschapv2 rightsendcert=never forceencaps=yes eap_identity=%any auto=add esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096 ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096 and ipsec statusall is: Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.10.17-g86ce428, armv7l): uptime: aaaaaaaaaa malloc: sbrk 1081344, mmap 0, used 193992, free 887352 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 xauth-generic dhcp addrblock Listening IP addresses: 192.168.7.1 Connections: roadwarrior-eap: %any...%any IKEv2 roadwarrior-eap: local: [mihaiordean.com] uses public key authentication roadwarrior-eap: cert: "C=UK, O=dnsname.com, CN=dnsname.com" roadwarrior-eap: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any' roadwarrior-eap: child: 0.0.0.0/0 === dynamic TUNNEL Security Associations (0 up, 0 connecting): none The problem that I have is that I am able to ping the network computers (i.e. 192.168.7.5) but I am unable to ping the gateway itself (192.168.7.1). The the strongswan DHCP plugin works fine and I am getting an IP from the LAN (192.168.7.x). I have no idea why this is happening as it seems that the traffic does get routed properly for peers in the lan just not for the gateway. Thanks meehien _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
