Project

General

Profile

Issue #592

Strongswan VPN of openvz cannot connect to internet

Added by fa cai about 5 years ago. Updated 11 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.1.3
Resolution:
No change required

Description

Forgive me for bad English。
I set up one strongswan VPN of openvz VPS.
I can connect the VPN to visit the web of the VPS, but I cannot connect the VPN to visit the internet. May I ask where is my mistake,please?

The TUN of VPS is open.

My ipsec.conf:
  1. ipsec.conf - strongSwan IPsec configuration file
    config setup
    uniqueids=never

conn %default
#rekey=yes
left=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
dpddelay=300s
dpdtimeout=1h
dpdaction=clear
auto=add

conn ikecommon
rightsourceip=10.0.0.0/24
#modeconfig=push
#esp=aes128-sha1-modp2048
compress=yes

conn ikev1pskaggressive
aggressive=yes
#type=tunnel
also=ikev1psk

conn ikev1psk
#authby=xauthpsk
leftauth=psk
rightauth=psk
rightauth2=xauth
#xauth=server
also=ikev1

conn ikev1
keyexchange=ikev1
#ikelifetime=60m
#keylife=20m
#rekeymargin=3m
#keyingtries=3
also=ikecommon

conn L2TP-PSK-NAT
leftfirewall=yes
rightfirewall=yes
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
keyexchange=ikev1
type=transport
authby=psk
keyingtries=3
rekey=no
leftprotoport=17/1701
rightprotoport=17/%any
ike="aes256-sha1-modp2048!"
esp="aes-sha1!"

My ipsec.secrets #
  1. ipsec.secrets #
  2. This file holds the RSA private keys or the PSK preshared secrets for
  3. the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. #
    : PSK "111"
    user : XAUTH "222"

My strongswan.conf

  1. strongswan.conf - strongSwan configuration file
    charon {

threads = 16

duplicheck.enable = no
install_virtual_ip = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
dns1 = 8.8.8.8
dns2 = 8.8.4.4
  1. for Windows only
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
filelog {
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2
append = no
flush_line = yes
}
}
}
my rc.local
#!/bin/sh -e #
  1. rc.local #
  2. This script is executed at the end of each multiuser runlevel.
  3. Make sure that the script will "exit 0" on success or any other
  4. value on error. #
  5. In order to enable or disable this script just change the execution
  6. bits. #
  7. By default this script does nothing.
    iptables -A INPUT -p udp --dport 500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    iptables -t nat -A POSTROUTING -j SNAT --to-source (my vps ip address)
    iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward
    /usr/local/sbin/ipsec restart
    exit 0

History

#1 Updated by ValdikSS ValdikSS almost 5 years ago

I can confirm this issue. The tunnel itself is working properly: you can ping server from client and client from server, but neither SNAT nor MASQUERADE works.

I can assume that happens because of venet OpenVZ interface.

Here is exactly the same issue on the strongswan maillist
https://lists.strongswan.org/pipermail/users/2014-February/005822.html

I'll check if it's working with OpenSwan or LibreSwan, but I suppose it's OpenVZ issue.

#2 Updated by Tony Zhou almost 5 years ago

I can confirm this issue too. For IKEv1/IKEv2 neither SNAT nor MASQUERADE works.
L2TP/IPSec works fine under this scenario though.

Plus, kernel-libipsec works fine under OpenVZ for IKEv1/IKEv2, but fails for L2TP/IPSec, due to the fact that transport mode is unsupported for libipsec.

#4 Updated by Zesen Qian over 4 years ago

Hello, I can confirm this problem on OpenVZ-2.6.32-042stab093.5 and StrongSwan-5.2.1. Details is on Strongswan list1. I will try the walkaround suggested by Test Acc this night, and report if it's not working.

[Update]
OK I 've tried the walkaround given by Test Acc, and unfortunately it doesn't work. I 'll try the same setup on Xen/KVM and report if that doesn't work either.

[1] https://lists.strongswan.org/pipermail/users/2014-December/007228.html

#5 Updated by Noel Kuntze 11 days ago

  • Status changed from New to Closed
  • Resolution set to No change required

Also available in: Atom PDF