Join Log in
Score:0
1ID avatar Ubuntu

Strongswan site-to-site VPN not working

pg flag
1ID

I'm trying to run a site-to-site VPN with ipsec and Strongswan. The sites are Ubuntu VMs running on a shared host machine. Each host has a different public IP address and both are behind a router (One is connected to phone hotspot).

After adding the configuration and running ipsec restart the VPN still doesn't work. ipsec status shows 0 up 1 connecting.

Site A /etc/ipsec.conf:

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
        
conn a-to-b
    authby=secret
    left=%defaultroute
    leftid=<site A public ip address>
    leftsubnet=<site A private ip address>
    right=<site B public ip address>
    rightsubnet=<site B private ip address>
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

Site B /etc/ipsec.conf:

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn b-to-a
    authby=secret
    left=%defaultroute
    leftid=<site B public ip address>
    leftsubnet=<site B private ip address>
    right=<site A public ip address>
    rightsubnet=<site A private ip address>
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    auto=start

The output key from running: openssl rand -base64 64 to /etc/ipsec.secrets

<site A public IP> <site B public IP> : PSK "<output from the last command>"

I also tried head -c 24 /dev/urandom | base64 when I was trying to troubleshoot.

Site B /etc/ipsec.secrets:

<site B public IP> <site A public IP> : PSK "<same key as site A>"

/etc/sysctl.conf on both sites:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Nftables ruleset:

Site A:

nft add rule ip nat POSTROUTING ip saddr <site A private ip address> ip daddr <site B private ip address> counter masquerade

Site B:

nft add rule ip nat POSTROUTING ip saddr <site B private ip address> ip daddr <site A private ip address> counter masquerade

(Tables and chains added too)

I would really appreciate help with this.

134
0 + 1
vpn
us flag
ecdsa
Check the logs, but it's most likely that the peer is not reachable due to a network issue (routing, firewall, NAT).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.