Having trouble while setting VPN tunnel

Question

I want to setup VPN tunnel between hosts, such that their subnetworks can connect each other. Ex:-

DummyNetwork ---> PC1 (HOST A) ------------- PC2( HOST B)------ >DummyNetwork

PC1 IP address : 192.168.32.109 PC1 dummy network : 10.10.10.0/24

PC2 IP address : 192.168.32.110 PC2 dummy network : 20.20.20.0/24

PC 1

sudo modprobe dummy

sudo ip link set name eth10 dev dummy0

sudo ip addr add 10.10.10.1/24 brd + dev eth10 label eth10:0

sudo sysctl -w net.ipv4.ip_forward=1

sudo route add -net 20.20.20.0 netmask 255.255.255.0 gw 192.168.32.110 dev eno1

PC 2

sudo modprobe dummy

sudo ip link set name eth10 dev dummy0

sudo ip addr add 20.20.20.1/24 brd + dev eth10 label eth10:0

sudo sysctl -w net.ipv4.ip_forward=1

sudo route add -net 10.10.10.0 netmask 255.255.255.0 gw 192.168.32.109 dev eno1

After this run ping 10.10.10.1 from PC1 and ping 20.20.20.1 from PC2. ping runs fine here.

Setting up VPN

As I am worked on ubuntu 16.04 i.e I used strongswan for setting up vpn tunnel

Install strongswan on both hosts i.e A and B

Sudo apt-get install ipsec-tools strongswan-starter

PC1

Sudo gedit edit /etc/ipsec.conf

And copy below text in it.

conn red-to-blue

authby=secret

auto=route

keyexchange=ike

left=192.168.32.109

right=192.168.32.110

type=tunnel

esp=aes128gcm16!

sudo gedit /etc/ipsec.secrets

And copy below code in it.

192.168.32.109 192.168.32.110 : PSK "pass”

Sudo ipsec restart

PC2

sudo gedit /etc/ipsec.conf

And copy below text in it.

conn blue-to-red

authby=secret

auto=route

keyexchange=ike

left=192.168.32.109

right=192.168.32.110

type=tunnel

esp=aes128gcm16!

sudo gedit /etc/ipsec.secrets

And copy below code in it.

192.168.32.110 192.168.32.109 : PSK "pass”

Sudo ipsec restart

Testing our Tunnel

From PC1

ping 192.168.32.109

From PC2

tcpdump esp

I am able to capture esp packets here. But running ping 20.20.20.1 from PC1 , don't get ant esp packets on PC2. What may be the issue ?

score 0 · Answer 1 · answered Nov 21 '16 at 08:25

There is no IPsec policy that covers the traffic between the subnets 10.10.10.0/24 and 20.20.20.0/24. With the current config you only cover traffic between the actual IPs of these hosts (left|right). You have to define the subnets you want to tunnel with left|rightsubnet. By convention left=local is assumed, so on PC1:

leftsubnet=10.10.10.0/24
rightsubnet=20.20.20.0/24

If you want to include the hosts' physical IPs you could include them (or the keyword %dynamic) in these lists of subnets (comma-separated).

There is also not really a need for dummy interfaces (just install the virtual IP on an existing interface). And routes are installed by strongSwan automatically in routing table 220 (check with ip route list table 220). Installing ipsec-tools is also not required to use strongSwan.

score -1 · Answer 2 · answered Nov 18 '16 at 20:20

-1

Try flipping your left= and right= entries on PC2

left=192.168.32.110
right=192.168.32.109

answered Nov 18 '16 at 20:20

user3258557

29
4

That's not needed in this case as, by default, the _stroke_ plugin flips the options automatically if it looks like _right_ is local. – ecdsa Nov 21 '16 at 08:26

Having trouble while setting VPN tunnel

2 Answers2