1

I've followed this tutorial to setup my private VPN using StrongSwan and IPSec. It works very well.

But when I try to connect directly to my gateway/server (using SSH), the connection does not go trough the VPN.

If I look for the tables in my client, I see :

$ netstat -nr

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            link#19            UCS            85        0  ipsec0
default            172.21.15.254      UGScI          18        0     en0
8.8.8.8            link#19            UHWIi           7       33  ipsec0
10.10.10.1         10.10.10.1         UH              0        0  ipsec0
13.32.153.9        link#19            UHW3I           0        3  ipsec0     10
17.248.144.80      link#19            UHWIi           2       22  ipsec0
17.252.76.33       link#19            UHWIi           1       40  ipsec0
18.184.56.218      link#19            UHWIi           1        1  ipsec0
54.37.155.XX       172.21.15.254      UGHS          397      197     en0
...

The last line is added to my client when I connect to the VPN. 54.37.155.XX is the public address of my server. I don't understand what process add this line to my routing table.

If I remove the last line, it works well :

sudo route -n delete 54.37.155.XX 172.21.15.254

I suspect that a missing rule in /etc/ipsec.conf config file is adding this routing entry, but I cannot figure out which one :

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@server_name_or_ip
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

Any idea ?

aruna
  • 15
  • 3
iero
  • 123
  • 5

2 Answers2

1

That's a known problem with macOS/iOS clients. The clients there install a direct route to the VPN server to prevent IKE traffic from getting tunneled via VPN. However, this means you can't access other services via the VPN server's public IP over the VPN either.

As a workaround, you could assign a virtual IP to the server from the subnet you used for virtual IPs assigned to clients. For instance, if you configure rightsourceip=10.10.10.2/24 then you can assign the reserved 10.10.10.1 to one of the server's interfaces and you should be able to access that IP from your VPN client.

ecdsa
  • 3,973
  • 15
  • 29
  • Thanks @ecdsa ! I understand that I can remove 10.10.10.1 address from this IP class with `rightsourceip=10.10.10.2/24`. But how I can force the server to take this reserved address. It is trough IPSEC configuration ? Thanks again – iero May 23 '18 at 09:09
  • No, just configure it on any of its interfaces. – ecdsa May 23 '18 at 10:25
  • Thanks a lot ! After changing rightsourceip as suggested, I added those lines to */etc/network/interfaces.d/50-cloud-init.cfg* : iface ens3 inet static address 10.10.10.1/24 Now I can connect to the server trough vpn using 10.10.10.1 address – iero May 30 '18 at 09:40
1

As @ecdsa suggested, we need to change ipsec conf :

rightsourceip=10.10.10.2/24

Add those lines to /etc/network/interfaces.d/50-cloud-init.cfg :

iface ens3 inet static
    address 10.10.10.1/24

After, we can connect to the server trough vpn using 10.10.10.1 address

iero
  • 123
  • 5