0

I have successfully established a VPN Ikev2 tunnel with a Win10 Pro agile VPN client and the linux StrongSwan server. The client is able to ping the strongswan server (192.168.0.11) and any other machines in the 192.168.0.0/24 network. But the StrongSwan server is not able to ping /arping the connected RoadWarrior. So some programs fail as they cannot reach the client.

My network setup:

Win10(192.168.0.10/VirtualIP:192.168.0.100)===(192.168.0.1)Fritz Router #1(91.13.x.x by ISP) ===INTERNET=== (217.94.x.x by ISP)Fritz Router#2(192.168.0.1)===(192.168.0.11)StrongSwan Server

ipsec.conf:

conn %default
    ikelifetime = 60m
    keylife = 20m
    rekeymargin = 3m
    keyingentries = 1
    keyexchange = ikev2
    rekey = no

conn vpn
    left = 192.168.0.11
    leftsubnet = 192.168.0.0/24
    leftauth = pubkey
    leftcert = server1_Host_cert.pem
    right = %any
    rightauth = eap-mschapv2
    rightsendcert = never
    rightsourceip = 192.168.0.100
    eap_identity = %any
    auto = add

include /var/lib/strongswan/ipsec.conf.inc

ip route show table 220:

192.168.0.100 via 192.168.0.1 dev eth0  proto static  src 192.168.0.11

ip xfrm policy:

src 192.168.0.100/32 dst 192.168.0.0/24
    dir fwd priority 2851 ptype main
    tmpl src 91.13.x.x dst 192.168.0.11
            proto esp reqid 8 mode tunnel
src 192.168.0.100/32 dst 192.168.0.0/24
    dir in priority 2851 ptype main
    tmpl src 91.13.x.x dst 192.168.0.11
            proto esp reqid 8 mode tunnel
src 192.168.0.0/24 dst 192.168.0.100/32
    dir out priority 2851 ptype main
    tmpl src 192.168.0.11 dst 91.13.x.x
            proto esp reqid 8 mode tunnel

The Fritz Router#2 uses a firewall on the host network. ESP, UDP500 and UDP4500 are forwarded to the strongswan server. The server itself uses no iptables (ACCEPT policy).

Thanks for your help.

Andreas
  • 11
  • 4
  • You noticed that server and client are in the same subnet, right? Windows does not send traffic to the network it is locally attached to via VPN. So I'd question your statement that the client is able to reach the server (is there perhaps a host with the same IP in the client's LAN?). – ecdsa Jul 10 '17 at 09:37

1 Answers1

0

Solved: For some reason the windows firewall dropped my intranet:allow rule. So it blocked the ping and arping sourced in the VPN network. After re-entering the rule (source: 192.168.0.0/24 == allow) it worked.

Andreas
  • 11
  • 4