Issue #592
Strongswan VPN of openvz cannot connect to internet
Description
Forgive me for bad English。
I set up one strongswan VPN of openvz VPS.
I can connect the VPN to visit the web of the VPS, but I cannot connect the VPN to visit the internet. May I ask where is my mistake,please?
The TUN of VPS is open.
My ipsec.conf:- ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
conn %default
#rekey=yes
left=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
dpddelay=300s
dpdtimeout=1h
dpdaction=clear
auto=add
conn ikecommon
rightsourceip=10.0.0.0/24
#modeconfig=push
#esp=aes128-sha1-modp2048
compress=yes
conn ikev1pskaggressive
aggressive=yes
#type=tunnel
also=ikev1psk
conn ikev1psk
#authby=xauthpsk
leftauth=psk
rightauth=psk
rightauth2=xauth
#xauth=server
also=ikev1
conn ikev1
keyexchange=ikev1
#ikelifetime=60m
#keylife=20m
#rekeymargin=3m
#keyingtries=3
also=ikecommon
conn L2TP-PSK-NAT
leftfirewall=yes
rightfirewall=yes
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
keyexchange=ikev1
type=transport
authby=psk
keyingtries=3
rekey=no
leftprotoport=17/1701
rightprotoport=17/%any
ike="aes256-sha1-modp2048!"
esp="aes-sha1!"
- ipsec.secrets #
- This file holds the RSA private keys or the PSK preshared secrets for
- the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
: PSK "111"
user : XAUTH "222"
My strongswan.conf
- strongswan.conf - strongSwan configuration file
charon {
threads = 16
duplicheck.enable = no
install_virtual_ip = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yesdns1 = 8.8.8.8
dns2 = 8.8.4.4- for Windows only
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
filelog {
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2
append = no
flush_line = yes
}
}
}#!/bin/sh -e #
- rc.local #
- This script is executed at the end of each multiuser runlevel.
- Make sure that the script will "exit 0" on success or any other
- value on error. #
- In order to enable or disable this script just change the execution
- bits. #
- By default this script does nothing.
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source (my vps ip address)
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/local/sbin/ipsec restart
exit 0
History
#1 Updated by ValdikSS ValdikSS over 6 years ago
I can confirm this issue. The tunnel itself is working properly: you can ping server from client and client from server, but neither SNAT nor MASQUERADE works.
I can assume that happens because of venet OpenVZ interface.
Here is exactly the same issue on the strongswan maillist
https://lists.strongswan.org/pipermail/users/2014-February/005822.html
I'll check if it's working with OpenSwan or LibreSwan, but I suppose it's OpenVZ issue.
#2 Updated by Tony Zhou over 6 years ago
I can confirm this issue too. For IKEv1/IKEv2 neither SNAT nor MASQUERADE works.
L2TP/IPSec works fine under this scenario though.
Plus, kernel-libipsec works fine under OpenVZ for IKEv1/IKEv2, but fails for L2TP/IPSec, due to the fact that transport mode is unsupported for libipsec.
#3 Updated by Test Acc about 6 years ago
Has anybody tried this workaround: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1309594/comments/8 ?
#4 Updated by Zesen Qian about 6 years ago
Hello, I can confirm this problem on OpenVZ-2.6.32-042stab093.5 and StrongSwan-5.2.1. Details is on Strongswan list1. I will try the walkaround suggested by Test Acc this night, and report if it's not working.
[Update]
OK I 've tried the walkaround given by Test Acc, and unfortunately it doesn't work. I 'll try the same setup on Xen/KVM and report if that doesn't work either.
[1] https://lists.strongswan.org/pipermail/users/2014-December/007228.html
#5 Updated by Noel Kuntze over 1 year ago
- Status changed from New to Closed
- Resolution set to No change required