You are not logged in.
Hi there,
I've managed to setup an ipsec vpn server these days. After I connected to VPN server, some ip address can not be accessed.
Below is the ip allocations on server side:
root@RouterX:~# ipsec leases
Leases in pool '192.168.100.100-192.168.100.109', usage: 2/10, 2 online
192.168.100.101 online 'node-1'
192.168.100.100 online 'node-2'
Leases in pool '192.168.100.110-192.168.100.119', usage: 1/10, 1 online
192.168.100.110 online 'node-3'
root@RouterX:~# ping -c 3 192.168.100.101
PING 192.168.100.101 (192.168.100.101): 56 data bytes
^C
--- 192.168.100.101 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@RouterX:~# ping -c 3 192.168.100.100
PING 192.168.100.100 (192.168.100.100): 56 data bytes
64 bytes from 192.168.100.100: seq=0 ttl=64 time=20.018 ms
64 bytes from 192.168.100.100: seq=1 ttl=64 time=20.432 ms
64 bytes from 192.168.100.100: seq=2 ttl=64 time=23.161 ms
--- 192.168.100.100 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 20.018/21.203/23.161 ms
root@RouterX:~# ping -c 3 192.168.100.110
PING 192.168.100.110 (192.168.100.110): 56 data bytes
64 bytes from 192.168.100.110: seq=0 ttl=64 time=481.042 ms
64 bytes from 192.168.100.110: seq=1 ttl=64 time=50.404 ms
64 bytes from 192.168.100.110: seq=2 ttl=64 time=98.258 ms
--- 192.168.100.110 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 50.404/209.901/481.042 msAs you can see, node-2(192.168.100.100) & node-3(192.168.100.110) are accessable, but node-1 is not.
Node-1 & Node-2 are in same network, Node-3 is another network.
Node-1 is connected to VPN server by swanctl, Node-2 is connected to VPN server by networkmanager-strongswan plugin, Node-3 is an android device which is connected to VPN server by buld-in VPN ability.
Below is node-1's swanctl configuration:
# cat /etc/swanctl/conf.d/csj.conf
connections {
vpn {
encap = yes
mobike = yes
version = 2
keyingtries = 0
dpd_delay = 30
dpd_timeout = 90
vips = 192.168.100.100 // this is a prefered address, but it is taken by Node-2, so this node got 192.168.100.101 address
remote_addrs = 1.2.3.4
local {
auth = eap-mschapv2
id = node-1
eap_id = node-1
}
remote {
certs = vpn-ca.pem
id = @xxx.com
}
children {
vpn-children {
mode = beet // this parameter is added for test reason, and it can not effect accessability between nodes whether it exists or not.
local_ts = 192.168.100.0/24
remote_ts = 192.168.100.0/24,192.168.2.0/24
start_action = start
dpd_action = restart
close_action = restart
}
}
}
}My question is: how to access Node1(192.168.100.101) ?
Offline
And one interesting thing, after node-2 disconnected from server, I can get to node-1:
root@RouterX:~# ipsec leases
Leases in pool '192.168.100.100-192.168.100.109', usage: 2/10, 1 online
192.168.100.101 online 'node-1'
192.168.100.100 offline 'node-2'
Leases in pool '192.168.100.110-192.168.100.119', usage: 1/10, 1 online
192.168.100.110 online 'node-3'
root@RouterX:~# ping 192.168.100.101
PING 192.168.100.101 (192.168.100.101): 56 data bytes
64 bytes from 192.168.100.101: seq=0 ttl=64 time=18.353 ms
64 bytes from 192.168.100.101: seq=1 ttl=64 time=18.556 ms
64 bytes from 192.168.100.101: seq=2 ttl=64 time=18.559 ms
^C
--- 192.168.100.101 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 18.353/18.489/18.559 ms-----------------------Added 2024/02/16 11:10 +UTC0------------------------------------
After sniffering packages at server side with a ping command, I found the ICMP packages are forwarded to node-2 but I'm pinging node-1.
Why ipsec routing like this ?
Last edited by Hacksign (2024-02-16 11:12:47)
Offline