Score:1

Strongswan (IKEv2) connection established but unable access systems being the VPN server

nf flag

My ipsec configuration

/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

conn myvpn
  auto=add
  keyexchange=ikev1
  authby=secret
  type=transport
  left=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
  ike=aes128-sha1-modp2048
  esp=aes128-sha1

/etc/xl2tpd/xl2tpd.conf

[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

/etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name "$VPN_USER"
password "$VPN_PASSWORD"

StrongSwan VPN connection

initiating Main Mode IKE_SA myvpn[1] to 10.4.2.4
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (240 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (372 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (108 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myvpn[1] established between 10.4.1.4[10.4.1.4]...10.4.2.4[10.4.2.4]
scheduling reauthentication in 9925s
maximum IKE_SA lifetime 10465s
generating QUICK_MODE request 310716818 [ HASH SA No ID ID ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (220 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (172 bytes)
parsed QUICK_MODE response 310716818 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA myvpn{1} established with SPIs c11429dc_i c53fee9d_o and TS 10.4.1.4/32[udp/l2f] === 10.4.2.4/32[udp/l2f]
generating QUICK_MODE request 310716818 [ HASH ]
connection 'myvpn' established successfully

The netplan of the client system that will connect to the VPN Server

network:
  version: 2
  renderer: networkd
  ethernets:
    enx7cc2c642ce1f:
      addresses:
      - 10.4.1.4/16
      routes:
      - to: 0.0.0.0
        via: 10.4.1.1
      nameservers:
        addresses:
        - 10.4.1.1
    eno1:
      addresses:
      - 10.1.1.231/24
      routes:
      - to: 0.0.0.0
        via: 10.1.1.251
      nameservers:
        addresses:
        - 10.1.1.23
        - 10.1.1.22
    enx7cc2c6436994:
      dhcp4: false
      addresses:
      - 10.2.1.1/16
  vlans:
    vlan.401:
      id: 401
      dhcp4: false
      addresses:
      - 10.4.1.1/15
      link: enx7cc2c6436994
    vlan.601:
      id: 601
      dhcp4: false
      addresses:
      - 10.6.1.1/16
      link: enx7cc2c6436994

The ip routes present on the system

0.0.0.0 via 10.4.1.1 dev enx7cc2c642ce1f proto static
0.0.0.0 via 10.1.1.251 dev eno1 proto static
default via 10.1.1.251 dev eno1 proto dhcp src 10.1.1.101 metric 100
10.1.1.0/24 dev eno1 proto kernel scope link src 10.1.1.231
10.1.1.22 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
10.1.1.23 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
10.1.1.251 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
blackhole 10.1.48.64/26 proto 80
10.1.48.93 dev cali0327d21449c scope link
10.2.0.0/16 dev enx7cc2c6436994 proto kernel scope link src 10.2.1.1
10.4.0.0/16 dev enx7cc2c642ce1f proto kernel scope link src 10.4.1.4
10.4.0.0/15 dev vlan.401 proto kernel scope link src 10.4.1.1
10.6.0.0/16 dev vlan.601 proto kernel scope link src 10.6.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

I added the following route to access devices on subnet 10.5.0.0/16 which is running behind the VPN server.

Note: I am able to ping the devices from the VPN server.

ip route add to 10.5.0.0/16 via 10.4.1.1 dev enx7cc2c642ce1f

However I am still unable to ping any devices running on the 10.5.0.0/16 subnet.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.