Project

General

Profile

Issue #3462

Updated by Tobias Brunner 5 months ago

Client config: strongswan 5.5.3 on openwrt LEDE X86_64. Official firmware and official software.

ipsec.conf:
<pre>
conn test
keyexchange=ikev2
ike=aes256-sha1-modp2048!
esp=aes256-sha1!
right=mydomain
rightid=mydomain
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftsendcert=never
leftauth=eap-mschapv2
eap_identity=user1
auto=start
</pre>


I can see that it's connected after command "ipsec up test" because the last message:
<pre>
authentication of 'mydomain' with EAP successful
IKE_SA test[4] established between 192.168.0.84[192.168.0.84]...103.60.20.9[mydomain]
installing DNS server 8.8.8.8 to /etc/resolv.conf
installing DNS server 8.8.4.4 to /etc/resolv.conf
installing new virtual IP 10.31.2.1
CHILD_SA test{4} established with SPIs cd30257a_i c0bd2c25_o and TS 10.31.2.1/32 === 0.0.0.0/0
connection 'test' established successfully
</pre>


Also I can ping 10.31.2.1 from server side.

But the thing is: the client could't go through VPN connection. When I traceroute 8.8.8.8:
<pre>
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 192.168.0.253 (192.168.0.253) 0.586 ms 0.848 ms 0.541 ms
2 lo100.sglebbras11.nw.aapt.net.au (210.8.1.230) 3.294 ms 3.105 ms 2.974 ms
3 203.131.58.40 (203.131.58.40) 3.155 ms 3.122 ms 2.963 ms
4 bu8.sglebbrdr11.aapt.net.au (202.10.14.27) 3.703 ms 3.677 ms 3.448 ms
5 syd-gls-har-wgw1-be-30.tpgi.com.au (203.219.107.197) 4.073 ms 3.665 ms 4.021 ms
6 syd-apt-ros-cdn11-be200.tpgi.com.au (203.29.134.125) 3.515 ms 203.29.134-61.tpgi.com.au (203.29.134.61) 3.742 ms 3.754 ms
7 209.85.149.84 (209.85.149.84) 3.872 ms 12.335 ms 5.004 ms
8 108.170.247.65 (108.170.247.65) 3.880 ms 108.170.247.81 (108.170.247.81) 4.414 ms 108.170.247.65 (108.170.247.65) 3.866 ms
9 209.85.250.139 (209.85.250.139) 4.082 ms 209.85.255.175 (209.85.255.175) 3.743 ms 209.85.255.165 (209.85.255.165) 3.979 ms
10 dns.google (8.8.8.8) 3.659 ms 4.332 ms 3.695 ms
</pre>


It doesn't go through 103.60.20.9

Command route:
<pre>
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.253 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.253 * 255.255.255.255 UH 0 0 0 eth0
</pre>


No gateway setup for 10.31.2.1

I'm sure that my 3 servers are working because windows, mac and mobile can get connected and go through VPN connection. Little difference between 3 servers but should be no problem:
server1: VPS in US. CentOS 6 with strongswan 5.6.0
server2: router in Sydney flashed with LEDE with strongswan 5.5.3. Behind NAT with UDP 500 and 4500 forwarded to it.
server3: router in Sydney flashed with openwrt 19.07.2 with strongswan 5.8.2. Main router with static IP 10.254.9.11/24, gw: 10.254.9.1. And DMZed to a public IP.

I also tested on 5.8.2 on client. Still the same problem.
So could you please have a look at this problem and tell me if I did something wrong. Thanks!

Back