Hello Bluesky787, Please pastebin the output of `iptables-save`.
P.S.:Pinging your own IP is quite useless because it only tells you if your communication over loopback works. ;) Kind regards Noel Am 05.11.19 um 16:03 schrieb [email protected]: > Hello Guys, > > This is the second time I need your help. I already asked you about public > key authentication (see > https://lists.strongswan.org/pipermail/users/2019-September/013839.html), > this problem refers directly to this old thread, because I couldn't figure > out how to make the connection work. As I stated at the end of this thread, > the connection gets established now, but no traffic at all is going to be > sent over the tunnel. > I instantly thought it is a routing problem and followed the tutorials for > routing with NAT > (https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling) > and route based vpn > (https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN), but > both didn't work out. As I understand it, route based vpn is not necessary if > it's ok with me that everything will get send over ipsec tunnel, which is > perfectly ok. > > Is there anything else I have to do to sent network traffice over ipsec > tunnel? Does strongswan does not configure routes automatically? Is it a > simple misconfiguration? > > I have the following setup: > VPN-Router (proprietary, IKEv2, 217.xxx.xxx.xxx) <----- WAN -----> Linux > (debian on qubes OS) client with strongswan 5.8.1-1 (10.137.0.10) > > Strongswan config file: > conn vpn-ikev2 > auto=route > ike=aes256-sha256-sha512-modp4096! > esp=aes256-sha256-sha512-modp4096! > right=217.xxx.xxx.xxx > rightid="O=Foo Company,CN=217.86.xxx.xxx" > rightsubnet=0.0.0.0/0 > rightauth=pubkey > rightca=217.xxx.xxx.xxx > rightcert=/etc/ipsec.d/certs/Foo_CA_IME.crt > leftid="O=Foo Company,CN=Foo VPN USER" > leftsourceip=%config > leftauth=pubkey > leftca="O=Foo Company,CN=Foo CA IME" > leftcert=/etc/ipsec.d/certs/Foo_VPN_User.crt > > Output from vpn connection initialisation: > [..] > IKE_SA vpn-ikev2[1] established between 10.137.0.10[O=Foo Company, CN=Foo > USER]...217.xxx.xxx.xxx[O=Foo Company, CN=217.xxx.xxx.xxx] > scheduling reauthentication in 9961s > maximum IKE_SA lifetime 10501s > installing DNS server 192.168.10.1 to /etc/resolv.conf > installing DNS server 192.168.10.52 to /etc/resolv.conf > installing new virtual IP 192.168.10.205 > selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ > CHILD_SA vpn-ikev2{2} established with SPIs cc3c6e40_i 0b663ca1_o and TS > 192.168.10.205/32 === 0.0.0.0/0 > connection 'vpn-ikev2' established successfully > > Following iptable rules are set up (are these really necessary? In my opinion > this is just the case for a gateway): > iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -m policy --dir out > --pol ipsec -j ACCEPT > iptables -t nat -A POSTROUTING -s 10.137.0.0/24 -o eth0 -j MASQUERADE > iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT > > Ping: > ping 192.168.10.205 (my virtual ip in private network) > PING 192.168.10.205 (192.168.10.205) 56(84) bytes of data. > 64 bytes from 192.168.10.205: icmp_seq=1 ttl=64 time=0.041 ms > 64 bytes from 192.168.10.205: icmp_seq=2 ttl=64 time=0.041 ms > 64 bytes from 192.168.10.205: icmp_seq=3 ttl=64 time=0.041 ms > 64 bytes from 192.168.10.205: icmp_seq=4 ttl=64 time=0.044 ms > ^C > --- 192.168.10.205 ping statistics --- > 4 packets transmitted, 4 received, 0% packet loss, time 58ms > rtt min/avg/max/mdev = 0.041/0.041/0.044/0.008 ms > > ping 192.168.10.1 (one of two dns servers in private network) > PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data. > ^C > --- 192.168.10.1 ping statistics --- > 7 packets transmitted, 0 received, 100% packet loss, time 188ms > > ping 8.8.8.8 (something in WAN) > PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. > 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=72.4 ms > 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=38.4 ms > 64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=41.7 ms > 64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=39.6 ms > ^C > --- 8.8.8.8 ping statistics --- > 4 packets transmitted, 4 received, 0% packet loss, time 8ms > rtt min/avg/max/mdev = 38.420/48.019/72.374/14.111 ms > > What did I do wrong? Could it be a problem that I installed strongswan inside > a virtual machine? > I am thankful for every kind of help. > > Regards, > Bluesky787
signature.asc
Description: OpenPGP digital signature
