I established a site to site VPN with strongswan. We have the following setup:
NET A - VPN Gate A - VPN Gate B - NET B
Lets assume: NET A is 10.2.0.0/24 NET B is 172.18.0.0/24
VPN Gate A is able to reach hosts in NET B. VPN Gate A has an IP 10.2.0.4 belonging to NET A
NET A contains a host, lets call it host 1, 10.2.0.2 NET B contains a host lets call it host 2, 172.18.0.33
VPN Gate
/etc/swanctl/conf.d/site2site.conf
connections {
foo-bar {
local_addrs = GATE A
remote_addrs = GATE B
local {
auth = psk
id = GATE A
}
remote {
auth = psk
id = GATE B
}
children {
net-net {
local_ts = 10.2.0.0/24
remote_ts = 172.18.0.0/24
rekey_time = 90m
esp_proposals = aes256-sha384-modp4096
start_action=start
}
}
version = 2
mobike = no
keyingtries=0
reauth_time =0s
proposals = aes256-sha384-modp4096
}
}
secrets {
ike-1 {
id-1a = GATE A
id-1b = GATE B
secret = ****
}
}
IPTABLES
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.18.0.0/24 10.2.0.0/24 policy match dir in pol ipsec reqid 1 proto esp
ACCEPT all -- 10.2.0.0/24 172.18.0.0/24 policy match dir out pol ipsec reqid 1 proto esp
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Host 1
To allow host 1 to communicate with host 2 I tried to establish a route:
ip route add 10.2.0.4/32 dev enp8s0
ip route add 172.18.0.0/24 via 10.2.0.4
Existing routes before:
ip route
default via xxx dev eth0
10.2.0.0/24 via 10.2.0.1 dev enp8s0
10.2.0.1 dev enp8s0 scope link
xxx dev eth0 scope link
Before adding the routes I am able to ping the address of the VPN GATE A, afterwards I am no more.
Where is my fault?
