1

I'm at my wit's-end here with this issue.

I have a stongswan VM with only 1 private internet interface (ens18). I can successfully connect to it and get a virtual IP, but my problem is the network beyond the strongswan VM sees the roadwarrior user's traffic originating from the strongswan VM, instead of directly from the roadwarrior's virtual IP address. I would like to be able to control the user's access on the hardware/router, so I need the traffic to originate from the virtual IP. Here's a better explanation via diagram:

diagram of vpn routing issue

Below are my configurations:

Routing Table:

[root@moon ~]# ip route list
default via 172.16.18.1 dev ens18 proto static metric 100 
172.16.18.1/28 dev ens18 proto kernel scope link src 172.16.18.2 metric 100

My ipsec.conf file:

[root@moon strongswan]# cat /etc/strongswan/ipsec.conf
#charondebug="all"

conn myConfig
keyexchange=ikev2
ike=aes256-sha384-modp4096!
esp=aes256gcm16-ecp384!
dpdaction=clear
dpddelay=60s
left=%any
leftid=moon.mydomain.com
leftsubnet=172.16.18.1/24,172.16.202.1/24
leftcert=moon.der
leftsendcert=always
right=%any
rightauth=eap-tls
rightdns=172.16.16.1
eap_identity=%identity
auto=route

conn rw_HERBERT
rightid=herbert@mydomain.com
rightsourceip=172.16.18.3/32
also=myConfig

My interface configuration file:

[root@moon strongswan]# cat /etc/sysconfig/network-scripts/ifcfg-ens18
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens18"
UUID="aaaaaaaa-cccccccccc-dddddddddd-1111111"
DEVICE="ens18"
ONBOOT="yes"
IPADDR="172.16.18.2"
PREFIX="24"
GATEWAY="172.16.18.1"
DNS1="172.16.16.1"
DNS2="172.16.16.2"
DOMAIN="mydomain.com"
IPV6_PRIVACY="no"
ZONE=dmz

Any help is greatly appreciated and I sincerely thank you for your time.

David Michalczuk
  • 11
  • 1

1 Answers1

0

If you want to make your roadwarrrior part of the remote LAN you have to fake ARP responses for the virtual IPs by using the farp plugin.

ecdsa
  • 3,973
  • 15
  • 29
  • Hi ecdsa, thanks for your response! To clarify, the roadwarriors are in fact able to receive the pings via their virtual IP addresses. The problem is when they ping machines on other subnets, the machines see the traffic originating from the strongswan VM IP address, NOT the virtual IP. I need the traffic to originate from the virtual IP address they were assigned so I can refine policies on my hardware firewall. – David Michalczuk Jun 05 '18 at 16:31
  • As I said, you have to use the _farp_ plugin to actually make your clients part of the remote LAN, instead of natting their traffic to the IP of the strongSwan server. – ecdsa Jun 06 '18 at 08:10
  • Thanks again for your reply, ECDSA. I will look into the FARP plugin and see if I can figure it out. – David Michalczuk Jun 11 '18 at 17:13
  • Hi @ECDSA , giving an update in case someone else is having this issue. I still have not been able to resolve this problem. I did however review my configurations and can confirm that FARP is indeed working and loaded. The plugin does give me a local address which I can ping, but it won't let clients ping anything beyond the Strongswan VM with their Virtual IP Address. I'm playing around now with the routing tables as I think my table 220 forces clients to use the Strongswan IP as their src address. I'll post any updates/progress. Thanks! – David Michalczuk Jul 16 '18 at 17:04