0

My server:

eth0: public ip 35.35.35.35

eth1: 10.50.0.1 subnet 10.50.0.0/22

ipsec.conf

config setup
    charondebug="2"
    uniqueids=no
conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@example.com
    leftcert=example.com.cer
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.50.4.0/24
    rightdns=10.50.1.1,10.50.1.2
    rightsendcert=never
    eap_identity=%identity

the client ipsec.conf

config setup

conn cicg
        type=tunnel
        fragmentation=yes
        forceencaps=yes
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        auto=add
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config4
        right=example.com
        rightauth=pubkey
        rightid=%any
        rightsubnet=10.50.0.0/22
        rightfirewall=yes
        eap_identity=test

client connected vpn server success, get virtual ip: 10.50.4.1

iptables rule

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth1 -j ACCEPT


# Accept incoming packets from the WAN if the router initiated
# the connection
sudo iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the
# connection
sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack \
    --ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.50.4.0/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.50.4.0/24 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -s 10.50.4.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.50.4.0/24 -o eth0 -j MASQUERADE


sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.50.4.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

client can access the server local subnet 10.50.0.0/22, But in the server, I can't access the client IP 10.50.4.1.

HOW CAN I DO FOR ACCESS CLIENT BY VIRTUAL IP?

Jie Ma
  • 1
  • 1
  • Any NAT rules on the server? If so, make sure you exclude IPsec traffic from that (see [here](https://docs.strongswan.org/docs/5.9/howtos/forwarding.html#_general_nat_problems)). – ecdsa Jun 29 '22 at 13:42
  • Thank you for the reply, I have update my iptables rule – Jie Ma Jun 30 '22 at 03:42
  • As I said, you need to exclude IPsec traffic from your MASQUERADE rule (not the one specific to virtual IPs but the generic one, so you have to insert a similar ACCEPT rule before that). – ecdsa Jun 30 '22 at 07:04
  • My top 2 POSTROUTING rule is -s 10.50.4.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT and -s 10.50.4.0/24 -o eth0 -j MASQUERADE – Jie Ma Jun 30 '22 at 15:16
  • As I said, it's not about those rules but the other one. – ecdsa Jul 01 '22 at 06:27

0 Answers0