Hi Tobias,

thanks. FARP is configured on both client and gateway, and I can reach all the 
internal network from the vpn client (ubuntu linux). The DHCP server is not on 
the gateway.
Still pinging the vpn client from the internal network does not work. Is there 
any other config to do? 

VPN CLIENT:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn vpn
    right=%me.domain.com
    rightid=server
    rightsubnet=192.168.1.0/24
    rightauth=psk
    left=%any
    leftid=client
    leftauth=eap-mschapv2
    leftsourceip=%config
    auto=add

Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-32-generic, x86_64):
  uptime: 27 minutes, since Feb 14 23:19:19 2018
  malloc: sbrk 3276800, mmap 532480, used 1419840, free 1856960
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 3
  loaded plugins: charon test-vectors unbound ldap pkcs11 aesni aes rc2 sha2 
sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey 
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt 
af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl 
soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp 
stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic 
eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam 
xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip 
error-notify certexpire led radattr addrblock unity
Listening IP addresses:
  X.X.X.X
Connections:
    vpn:  %any…me.domain.com,0.0.0.0/0,::/0  IKEv1/2
    vpn:   local:  [client] uses EAP_MSCHAPV2 authentication
    vpn:   remote: [server] uses pre-shared key authentication
    vpn:   child:  dynamic === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
    vpn[1]: ESTABLISHED 27 minutes ago, X.X.X.X[server]…Y.Y.Y.Y[server]
    vpn[1]: IKEv2 SPIs: 66945fc928466229_i* 825b15d6f370bd5e_r, EAP 
reauthentication in 2 hours
    vpn[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    vpn{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7fc94f7_i cb625e29_o
    vpn{1}:  AES_CBC_128/HMAC_SHA1_96, 1512 bytes_i (18 pkts, 750s ago), 2940 
bytes_o (35 pkts, 750s ago), rekeying in 14 minutes
    vpn{1}:   192.168.1.20/32 === 192.168.1.0/24

VPN SERVER/GATEWAY:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        strictcrlpolicy=no
        uniqueids = no

conn server-IKEV2
        auto=add
        dpdaction=clear
        keyexchange=ikev2

        #left
        #left=%any
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftfirewall=yes
        leftauth=psk
        leftid=server

        #right
        right=%any
        rightsourceip=192.168.1.20 (tried also %dhcp but no change)
        rightauth=eap-mschapv2
        rightid=client

Status of IKE charon daemon (strongSwan 5.2.1, Linux 4.9.35-v7+, armv7l):
  uptime: 23 minutes, since Feb 14 23:17:54 2018
  malloc: sbrk 1216512, mmap 0, used 224680, free 991832
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 9
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl 
fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default 
farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius 
eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp 
lookip error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
  192.168.1.20: 1/1/0
Listening IP addresses:
  192.168.1.10
Connections:
   iOS-IKEV2:  %any...%any  IKEv2, dpddelay=30s
   iOS-IKEV2:   local:  [server] uses pre-shared key authentication
   iOS-IKEV2:   remote: [client] uses EAP_MSCHAPV2 authentication
   iOS-IKEV2:   child:  192.168.1.0/24 === dynamic TUNNEL, dpdaction=clear
server-IKEV2:  %any...%any  IKEv2, dpddelay=30s
server-IKEV2:   local:  [server] uses pre-shared key authentication
server-IKEV2:   remote: [client] uses EAP_MSCHAPV2 authentication
server-IKEV2:   child:  192.168.1.0/24 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
server-IKEV2[4]: ESTABLISHED 21 minutes ago, 
192.168.1.10[server]...XXX.XXX.XXX.XXX[client]
server-IKEV2[4]: IKEv2 SPIs: 29624628c95f9466_i 5ebd70f3d6155b82_r*, pre-shared 
key reauthentication in 2 hours
server-IKEV2[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
server-IKEV2{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cb625e29_i c7fc94f7_o
server-IKEV2{1}:  AES_CBC_128/HMAC_SHA1_96, 2940 bytes_i (35 pkts, 402s ago), 
1512 bytes_o (18 pkts, 402s ago), rekeying in 21 minutes
server-IKEV2{1}:   192.168.1.0/24 === 192.168.1.20/32 


> Il giorno 14 feb 2018, alle ore 08:22, Tobias Brunner <tob...@strongswan.org> 
> ha scritto:
> 
> Hi Marco,
> 
>> VPN Client -> Gateway -> internal network with some servers
>> The VPN gets an IP from DHCP Server (i.e 192.168.1.100)
>> Gateway has IP 192.168.1.10, can ping the VPN client 192.168.1.100
>> Pinging the VPN client from a server in the network (e.g. 192.168.1.20) does 
>> not work.
>> 
>> What am I missing?
> 
> See [1].
> 
> Regards,
> Tobias
> 
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-LAN

Reply via email to