Project

General

Profile

Issue #3032

Connected to VPN, but no traffic

Added by Aiden A 6 months ago. Updated 6 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.5.1
Resolution:
No feedback

Description

Hello.

I'm able to connect to my VPN but am not able connect to the internet.

# ipsec.conf - strongSwan IPsec configuration file

config setup
    cachecrls=yes
    uniqueids=no

conn ios
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsubnet=10.0.0.0/24
    rightsourceip=10.0.0.1/24
    rightdns=1.1.1.1,9.9.9.9,192.168.1.1
    auto=add
    forceencaps=yes

include /var/lib/strongswan/ipsec.conf.inc
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

192.168.1.10 %any : PSK "xxxxxxxxxx" 

User1 : XAUTH "xxxxxxxxxx" 
#!/bin/sh

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -Z

## To prevent us from being locked out of the SSH session, 
## well accept connections that are already accepted. 
## Well also open port 22 (or whichever port you've configured) for future SSH connections to the server.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

## Well also need to accept connections on the local loopback interface:
iptables -A INPUT -i lo -j ACCEPT

## Then well tell IPTables to accept IPSec connections:
iptables -A INPUT -p udp --dport  500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

## Next, well tell IPTables to forward ESP (Encapsulating Security Payload) traffic so the VPN clients will be able to connect. 
## ESP provides additional security for our VPN packets as they're traversing untrusted networks:
iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.0.0.0/24 -j ACCEPT

## Our VPN server will act as a gateway between the VPN clients and the internet. 
## Since the VPN server will only have a single public IP address, 
## we will need to configure masquerading to allow the server to request data from the internet on behalf of the clients; 
## this will allow traffic to flow from the VPN clients to the internet, and vice-versa:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

## To prevent IP packet fragmentation on some clients, well tell IPTables to reduce the size of packets by adjusting the packets' maximum segment size. 
## This prevents issues with some VPN clients.
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.0.0.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

## For better security, well drop everything else that does not match the rules we've configured:
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

History

#1 Updated by Tobias Brunner 6 months ago

  • Description updated (diff)
  • Status changed from New to Feedback

First, don't configure rightsubnet if you configure rightsourceip. Second debug the traffic flow (check traffic counters on SAs and firewall rules, capture traffic etc.) to see where it might get stuck. Also see HelpRequests.

#2 Updated by Aiden A 5 months ago

I tried running the following and this is what I get:


pi@raspberrypi:~ $ tail -f /var/log/auth.log
May 13 03:53:40 raspberrypi charon: 10[IKE] 208.54.37.231 is initiating a Main Mode IKE_SA
May 13 03:53:40 raspberrypi charon: 07[IKE] IKE_SA ios1 established between 10.0.0.10[10.0.0.10]...208.54.37.231[0.0.0.0]
May 13 03:53:41 raspberrypi charon: 09[IKE] CHILD_SA ios{1} established with SPIs cdcbe627_i 09ea835d_o and TS 0.0.0.0/0 === 10.0.0.101/32


#3 Updated by Tobias Brunner 5 months ago

I tried running the following and this is what I get:

What are you trying to say? Did you read ForwardingAndSplitTunneling?

#4 Updated by Tobias Brunner 6 days ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF