Project

General

Profile

Issue #3552

Internet disconnects after once VPN is established

Added by Sudeep Kote about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.2
Resolution:

Description

Hello All,

I have setup and configured Strongswan VPN server on Google cloud compute engine instance for our Roadwarrios Laptop clients, all laptops are Ubuntu OS installed. VPN is working fine and users can able to connect VPN but once they connected VPN Internet is stop working. could you please help me to how to make this work?

Server Configuration :

config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=(Server Public IP)
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=10.160.0.0/0
leftfirewall=yes
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

Client Configuration :

config setup

conn ikev2-rw

right=x.x.x.x
  1. This should match the `leftid` value on your server's configuration
    rightid=x.x.x.x
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=test
    leftauth=eap-mschapv2
    eap_identity=%identity
    leftfirewall=yes
    auto=start

History

#2 Updated by Tobias Brunner about 2 months ago

  • Status changed from New to Feedback

VPN is working fine and users can able to connect VPN but once they connected VPN Internet is stop working.

What exactly does that mean? Stop working how?

Did you follow that tutorial to the end? (Including the firewall/forwarding section?) Also see ForwardingAndSplitTunneling.

#3 Updated by Sudeep Kote about 2 months ago

yes, internet is stop working, I can't browse anything. I don't know where i missed .
I enabled PORT forwarding on Google cloud instance ( VPN server) and allowed UDP port 500 and 4500 and esp, icmp protocols on Google cloud Firewall . Ubuntu OS is installed for all laptops. Please help me to resolve this .

VPN server configuration :

Status: active

To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
500,4500/udp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)

=============================================

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere

===============================

sysctl net.ipv4.ip_forward=1

#4 Updated by Tobias Brunner about 2 months ago

You need to NAT traffic from the virtual IPs you assign to clients (the 10.10.10.0/24 subnet) to the IP of your server (just like the tutorial and our wiki page explain).

#5 Updated by Sudeep Kote about 2 months ago

HI, I followed the same reference document.
I noticed that when I connected mobile data, in that time internet will work
when I switched to my broadband router, in that time only I able connect my severs but I can't browse internet.
This issue I am facing only Ubuntu systems windows systems are working fine. Please help me to resolve this

==================================
UFW configuration : /etc/ufw/before.rules
*nat
-A POSTROUTING -s 10.10.10.0/24 -o ens4 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o ens4 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o ens4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT

*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

  1. End required lines
  1. allow all on loopback
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-output -o lo -j ACCEPT
  1. quickly process packets for which we already have a connection
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

======

/etc/ufw/sysctl.conf

net/ipv4/ip_forward=1
net/ipv4/conf/all/accept_redirects=0
net/ipv4/conf/all/send_redirects=0
net/ipv4/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/all/log_martians=0
net/ipv4/conf/default/log_martians=0
net/ipv4/ip_no_pmtu_disc=1

Also available in: Atom PDF