On the Server are two connection established (IPSec and from OpenVPN client). On the server I see subnet in IPSec, but not from OpenVPN client. On the server is firewalld active, here is public zone:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: cockpit dhcpv6-client openvpn ssh
ports: 500/udp 4500/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule protocol value="esp" accept
and dmz zone with tun0 interface
dmz (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
here is route table:
default via publicIP dev eth0 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5 metric 100
10.19.0.0/16 via 10.19.0.1 dev eth0 proto static metric 100
publicNET/20 dev eth0 proto kernel scope link src publicIP metric 100
Thank you for your advice!
UPDATE
ip xfrm policy:
src 10.19.0.0/16 dst 192.168.178.0/24
dir out priority 379519 ptype main
tmpl src SERVER1 dst SERVER2
proto esp spi 0x4a7f1596 reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
dir fwd priority 379519 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
dir in priority 379519 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 71 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
Here is Strongswan config:
# Add connections here.
conn %default
left=SERVER1
leftsourceip=SERVER1
leftid=SERVER1
leftsubnet=10.19.0.0/16
authby=secret
auto=start
conn home
ike=aes256-sha-modp1024
esp=aes256-sha1-modp1024
right=SERVER2
rightid=@SERVER2
rightsubnet=192.168.178.0/24
ikelifetime=3600s
keylife=3600s
UPDATE #2
ipsec.conf
conn %default
left=SERVER1
leftsourceip=SERVER1
leftid=SERVER1
leftsubnet=10.19.0.0/16,10.8.0.0/24
authby=secret
auto=start
xfrm policy:
src 10.8.0.0/24 dst 192.168.178.0/24
dir out priority 375423 ptype main
tmpl src SERVER1 dst SERVER2
proto esp spi 0xc4247488 reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
dir fwd priority 375423 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
dir in priority 375423 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
aswell direct rules for firewalld:
<direct>
<rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-m policy --pol ipsec --dir out -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -j DROP</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-d 192.168.178.0/24 -j DROP</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.19.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.8.0.0/24 -m policy --dir in --pol ipsec -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.19.0.0/16 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.8.0.0/24 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
</direct>
and openvpn server config:
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 176.103.130.130"
push "dhcp-option DNS 176.103.130.131"
#push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.178.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_21QCUO0cRXlOaJFT.crt
key server_21QCUO0cRXlOaJFT.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3