You are not logged in.
Hi there
I've setup a VPN, which CIDR is 192.168.100.0/24, by strongswan's swanctl.
Below is the result of command swanctl --list-sas on client side:
(Client is behind a firewall and it's internet address is 55.66.77.88, Server's internet address is 11.22.33.44 in my scenario)
[root@DeviceOne system]# swanctl --list-sas
vpn: #1, ESTABLISHED, IKEv2, 2c127_i* 0f3eb_r
local 'device-one' @ 192.168.31.2[4500] [192.168.100.101]
remote '....' @ 11.22.33.44[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
established 1529s ago, rekeying in 12367s
This can be confirmed on server side by command ipsec status:
root@VPNServer:~# ipsec status
Security Associations (2 up, 0 connecting):
IPSec-IKEv2-EAP[11]: ESTABLISHED 28 minutes ago, 11.22.33.44...55.66.77.88[device-one]
IPSec-IKEv2-EAP[9]: ESTABLISHED 65 minutes ago, 11.22.33.44...55.66.77.88[device-two]
IPSec-IKEv2-EAP{4}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: 4cbf_i c1e7_o
IPSec-IKEv2-EAP{4}: 192.168.1.1/32 192.168.2.0/24 192.168.3.0/24 192.168.100.0/24 === 192.168.100.0/24
The authentication is told successed by all logs(ipsec\strongswan), but there is unknown problems with route:
On client side, command result:
[root@DeviceOne ~]# ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
[root@DeviceOne ~]# ip route
default via 192.168.31.1 dev end0 proto dhcp src 192.168.31.2 metric 1024
192.168.31.0/24 dev end0 proto kernel scope link src 192.168.31.2 metric 1024
192.168.31.1 dev end0 proto dhcp scope link src 192.168.31.2 metric 1024
Here is my swanctl.conf :
[root@DeviceOne ~]# cat /etc/swanctl/conf.d/vpn-client.conf
connections {
vpn {
version = 2
encap = yes
dpd_delay = 30
dpd_timeout = 90
vips = 192.168.100.101
remote_addrs = 11.22.33.44
local {
auth = eap-mschapv2
id = device-one
eap_id = device-one
}
remote {
certs = vpn-ca.pem
id = ....
}
children {
vpn-children {
local_ts = 192.168.31.0/24
remote_ts = 192.168.100.0/24
start_action = start
}
}
}
}
secrets {
eap-mschapv2 {
id = "device-one"
secret = "my-password"
}
}
Currently I can neither access other devices on device-one, nor access to device-one on other device under same VPN.
My question: how can I access device-one in VPN 192.168.100.0/24 ?
Last edited by Hacksign (2024-02-11 14:58:11)
Offline
There is an additional routing table (220) - what does the following command show
ip route show table 220
Offline
There is an additional routing table (220) - what does the following command show
ip route show table 220
Thanks for reply, after hours of effort, the problem comes with server side.
Add right side subnet privileges solved the problem.
Here is the detail for any others in case.
As you can see, my client side ip address is 192.168.31.1/24, it is an un-normal ip range, so on the ipsec server side, you need add accesss privileges on right side (which is client side):
conn Some-Conn-Configuration
.....
rightsubnet=192.168.31.1/24,xxx.xxx.xx.xx/24,yyy.yyy.yy.yy/24,....
....
Offline