You are not logged in.
Hi guys,
My company is using a Fortigate VPN solution. By using Fortigate Mac or Windows client, everything works great. However, they don't have anything for Linux that supports IPSec, so I have used strongSwan IPSec implementation. After a lot of effort, I have been able to set up a connection to my company VPN, but for some reason, I'm only able to send and receive traffic within the 192.168.32.0/24 network. In this network, we have other PCs connected via VPN. However, I should be able to access other networks which in really are tunnels to one of our client's office. I've tried everything regarding IPSec policy but I've found no solution so far. I should be able to ping the host 192.168.1.50 which I'm from a Windows PC, but I'm not from my Linux box. Likewise, I'm able to reach all hosts in the 192.168.140.0/24 network from Windows, but I'm not from my Linux box either. I filed an issue to strongSwan team, but I haven't been provided with a solution yet. I've been investigating how the IPSec policy routing works and playing quite a lot with different options, but none was successful. At this point, the last policy I have set is this:
[root@MyPC ~]# ip xfrm policy
src 192.168.140.0/24 dst 192.168.32.1/32
dir fwd priority 2851
tmpl src <MY_VPN_PUBLIC_IP> dst 192.168.1.4
proto esp reqid 1 mode tunnel
src 192.168.140.0/24 dst 192.168.32.1/32
dir in priority 2851
tmpl src <MY_VPN_PUBLIC_IP> dst 192.168.1.4
proto esp reqid 1 mode tunnel
src 192.168.32.1/32 dst 192.168.140.0/24
dir out priority 2851
tmpl src 192.168.1.4 dst <MY_VPN_PUBLIC_IP>
proto esp reqid 1 mode tunnel
src 192.168.32.0/24 dst 192.168.32.1/32
dir fwd priority 2851
tmpl src <MY_VPN_PUBLIC_IP> dst 192.168.1.4
proto esp reqid 1 mode tunnel
src 192.168.32.0/24 dst 192.168.32.1/32
dir in priority 2851
tmpl src <MY_VPN_PUBLIC_IP> dst 192.168.1.4
proto esp reqid 1 mode tunnel
src 192.168.32.1/32 dst 192.168.32.0/24
dir out priority 2851
tmpl src 192.168.1.4 dst <MY_VPN_PUBLIC_IP>
proto esp reqid 1 mode tunnel
src 192.168.1.50/32 dst 192.168.32.1/32
dir fwd priority 2851
tmpl src <MY_VPN_PUBLIC_IP> dst 192.168.1.4
proto esp reqid 1 mode tunnel
src 192.168.1.50/32 dst 192.168.32.1/32
dir in priority 2851
tmpl src <MY_VPN_PUBLIC_IP> dst 192.168.1.4
proto esp reqid 1 mode tunnel
src 192.168.32.1/32 dst 192.168.1.50/32
dir out priority 2851
tmpl src 192.168.1.4 dst <MY_VPN_PUBLIC_IP>
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0 ...but it doesn't work. I'm able to neither ping the host 192.168.1.50 and nor reach any host within the 192.168.140.0/24 network. By using Forticlient (Fortigate client) for Windows, I'm able to reach both.
Questions:
- Because I'm using IPSec policy routing instead of route based routing, do you think it would be needed any change in the server side to make it work?
- Is there anything I'm missing?
Thanks a lot for your help in advance.
Regards.
Last edited by Musikolo (2015-01-09 05:54:40)
Offline