Strongswan VPN of openvz cannot connect to internet
Forgive me for bad English。
I set up one strongswan VPN of openvz VPS.
I can connect the VPN to visit the web of the VPS, but I cannot connect the VPN to visit the internet. May I ask where is my mistake，please?
The TUN of VPS is open.My ipsec.conf:
- ipsec.conf - strongSwan IPsec configuration file
- ipsec.secrets #
- This file holds the RSA private keys or the PSK preshared secrets for
- the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
: PSK "111"
user : XAUTH "222"
- strongswan.conf - strongSwan configuration file
threads = 16
duplicheck.enable = no
install_virtual_ip = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
dns1 = 184.108.40.206
dns2 = 220.127.116.11
- for Windows only
nbns1 = 18.104.22.168
nbns2 = 22.214.171.124
time_format = %b %e %T
default = 2
append = no
flush_line = yes
#!/bin/sh -e #
- rc.local #
- This script is executed at the end of each multiuser runlevel.
- Make sure that the script will "exit 0" on success or any other
- value on error. #
- In order to enable or disable this script just change the execution
- bits. #
- By default this script does nothing.
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source (my vps ip address)
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#1 Updated by ValdikSS ValdikSS about 5 years ago
I can confirm this issue. The tunnel itself is working properly: you can ping server from client and client from server, but neither SNAT nor MASQUERADE works.
I can assume that happens because of venet OpenVZ interface.
Here is exactly the same issue on the strongswan maillist
I'll check if it's working with OpenSwan or LibreSwan, but I suppose it's OpenVZ issue.
#2 Updated by Tony Zhou about 5 years ago
I can confirm this issue too. For IKEv1/IKEv2 neither SNAT nor MASQUERADE works.
L2TP/IPSec works fine under this scenario though.
Plus, kernel-libipsec works fine under OpenVZ for IKEv1/IKEv2, but fails for L2TP/IPSec, due to the fact that transport mode is unsupported for libipsec.
#3 Updated by Test Acc almost 5 years ago
Has anybody tried this workaround: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1309594/comments/8 ?
#4 Updated by Zesen Qian almost 5 years ago
Hello, I can confirm this problem on OpenVZ-2.6.32-042stab093.5 and StrongSwan-5.2.1. Details is on Strongswan list1. I will try the walkaround suggested by Test Acc this night, and report if it's not working.
OK I 've tried the walkaround given by Test Acc, and unfortunately it doesn't work. I 'll try the same setup on Xen/KVM and report if that doesn't work either.