3

I have the following situation.

The home network is on 192.168.1.0/24 and uses a Zyxel USG50 which is able to handle IPSec tunnels. The remote VPS runs Ubuntu 16.04 and hosts a PPTP server (10.0.0.1) which assigns addresses 10.0.0.100-200 to the clients. The PPTP server works perfectly and the clients can surf the internet without problems of any sort.

Now I'm setting up a IPSec tunnel to be able, through a PPTP connected device, to access my home network devices. Anyway, communication seems to work one way only: I can ping VPN connected devices (say, 10.0.0.100) from home network (say, 192.168.1.4) but not viceversa. Also the VPS can't ping devices on the 192.168.1.0 network (the packets go outside on the internet)

ipsec.conf

conn home
        authby = secret
        keyexchange = ikev1
        ikelifetime = 86400
        lifetime = 28800
        ike = aes256-sha512-modp2048!
        esp = aes256-sha512-modp2048!
        auto = add
        left = %any
        leftsubnet = 10.0.0.0/24
        leftfirewall = yes
        right = (my_ddns_home_address)
        rightid = %any
        rightsubnet = 192.168.1.0/24

ipsec status

Security Associations (1 up, 0 connecting):
    home[1]: ESTABLISHED 30 minutes ago, my_vpsip[my_vps_ip]...my_home_ip[my_home_ip]
    home{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce9b32e6_i 96369de8_o
    home{1}:   10.0.0.0/24 === 192.168.1.0/24

ifconfig

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:89426 errors:0 dropped:0 overruns:0 frame:0
          TX packets:89426 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:30719387 (30.7 MB)  TX bytes:30719387 (30.7 MB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:10.0.0.1  P-t-P:10.0.0.100  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
          RX packets:32314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44911 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:3108413 (3.1 MB)  TX bytes:49298247 (49.2 MB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:12701126 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11210758 errors:0 dropped:7605 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11729004253 (11.7 GB)  TX bytes:3015436822 (3.0 GB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:vps_public_ip  P-t-P:212.24.96.165  Bcast:vps_public_ip  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

iptables -L -n -v

Chain FORWARD (policy ACCEPT 1060 packets, 436K bytes)
pkts bytes target     prot opt in     out     source               destination
3   180 ACCEPT     all  --  venet0 *       192.168.1.0/24       10.0.0.0/24          policy match dir in pol ipsec reqid 1 proto 50
9   540 ACCEPT     all  --  *      venet0  10.0.0.0/24          192.168.1.0/24       policy match dir out pol ipsec reqid 1 proto 50

ip route show table 220

192.168.1.0/24 via my_home_ip dev venet0  proto static  src 10.0.0.1
Michele Scuttari
  • 61
  • 2
  • 10

1 Answers1

2

Solved by adding this iptables rule:

sudo iptables -t nat -I POSTROUTING 1 -j ACCEPT -s 10.0.0.0/24 -m policy --dir out --pol ipsec

See here for more details: Strongswan vpn tunnel connected but the traffic is not routed through it

Michele Scuttari
  • 61
  • 2
  • 10