hallo all! I'm trying to setup a simple VPN to function as default gateway. Below my setup in (poor) ASCI ART and my ipsec.conf of both SERVER and CLIENT. SERVER has a public static ip and is listening for connections. CLIENT is a roadwarrior and IP is dynamic.
The connection setup works, so after a "strongswan up SERVER" at the CLIENT machine I can ping/ssh/anything to and from over the 10.1.0.0/24 network. Problem is trying to ping google.nl from CLIENT, I get a response from 1.2.3.4 "Destination Host Prohibited". sysctl net.ipv4.ip_forward=1 and iptables rules are set according to https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling How can I setup forwarding on the SERVER?? What am I doing wrong here? Further more at SERVER the iptables rules seem to only grow... So rules seem to be added, but never removed... When should these rules be removed from SERVER? Does this only happen on "strongswan down SERVER" at CLIENT or should they also get removed after a DPD timeout? How can I debug this? My setup: ______________ _________________ | SERVER |_____________________|CLIENT | | IP: 1.2.3.4 _______10.1.0.0/24_____ IP: Dynamic | | VIP: 10.1.0254 | |VIP: 10.1.0.1 | | GW : 2.2.2.2 | |GW: 10.1.0.254 | |______________| |________________| ================== CLIENT ipsec.conf ================== config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn SERVER left=%any leftcert=CLIENTCert.pem leftsourceip=%any leftfirewall=yes right=1.2.3.4 rightid="C=NL, O=strongSwan, CN=SERVER" rightsubnet=0.0.0.0/0 auto=add __________________________________________ ================== SERVER ipsec.conf ================== config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=%forever keyexchange=ikev2 left=1.2.3.4 leftsubnet=0.0.0.0/0 rightdns=10.1.0.254 leftcert=SERVERCert.pem leftfirewall=yes right=%any mobike=yes fragmentation = yes lefthostaccess = yes dpdaction = clear closeaction = clear conn CLIENT rightid="C=NL, O=strongSwan, CN=CLIENT" rightcert=CLIENTCert.pem rightsourceip=10.1.0.1 rightsubnet=10.1.0.0/24 auto=add ____________________________________________ Thanks allot for any help!! Best regards, Geert _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
