VPN - Ubuntu can't ping server, but Windows can

Question

I'm having problems using a VPN connection on Ubuntu, as a client. Works well on Windows. Ubuntu does not receive the route table...

Scenario:

Server: Centos 7 with Strongswan (Ipsec, IKEv2)

Static IP set to 10.0.77.1

/etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
BOOTPROTO=static
IPADDR=10.0.77.1
NETMASK=255.255.255.0

VPN config - ipsec.conf (only the main piece):

auto=add
compress=yes
type=tunnel
keyexchange=ikev2
ike=...
esp=...
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@myserver.com
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=10.0.77.0/24
leftsourceip=10.0.77.1/32
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.0.77.2-10.0.77.9
rightdns=10.0.77.1
rightsendcert=never
eap_identity=%identity

So, the server is 10.0.77.1 and clients will receive an IP between 10.0.77.2 and 10.0.77.9 (same subnet).

Client: Windows 10

Native client, connects and pings 10.0.77.1 fine.

Route table:

      10.0.0.0        255.0.0.0      10.0.77.17     26
    10.0.77.17  255.255.255.255      10.0.77.17    281
10.255.255.255  255.255.255.255      10.0.77.17    281

Client: Ubuntu 20.04 with Strongswan installed

Can connect normally, but cannot ping 10.0.77.1 and has no route entries to 10.*

Any ideas? Thanks a lot.

Update

No related to route table. Thanks to @ecdsa: ip route list table 220

Solution

I realized that the problem was related to the server firewall. A single iptables rule fixed the problem:

iptables -I INPUT -m policy --pol ipsec --dir in -j ACCEPT

Note that routes on Linux are installed in routing table 220 (use `ip route list table 220`). Also, log and config of the client might help. — ecdsa, Sep 10 '20 at 07:34
`10.0.77.0/24 via 192.168.0.1 dev enp3s0 proto static src 10.0.77.18 192.168.0.0/24 dev enp3s0 proto static src 192.168.0.110` It's routing to my gateway... any ideas? — Arvy, Sep 10 '20 at 21:50
When I stop iptables on the server, works. Now I'm trying to figure out the rules that I need to insert and why works on Windows and not on Ubuntu... — Arvy, Sep 10 '20 at 23:15
Found a solution! `iptables -I INPUT -m policy --pol ipsec --dir in -j ACCEPT` This fixed the problem, even I don't know exactly what means (no advanced iptables user) — Arvy, Sep 10 '20 at 23:28

Arvy · Accepted Answer · 2020-09-10T23:47:59.097

0

I realized that, when I stop iptables, works.

After some hours trying, I found an iptables rule that fixed the problem:

iptables -I INPUT -m policy --pol ipsec --dir in -j ACCEPT

Now I can ping the host from Ubuntu and open TCP connections on the server.

edited Sep 10 '20 at 23:47

answered Sep 10 '20 at 23:30

Arvy

131
8

VPN - Ubuntu can't ping server, but Windows can

1 Answers1