Hi,
has anyone experience in this area ?
I got a VM instanced deployed running FreeBSD 13.2 latest updates and StrongSwan. StrongSwan has been configured using the provided documentation in an IKEv2 road warrior scenario, authentication is done by EAP-MSCHAPv2.
I can connect with my client (IOS) and surf the Internet without any issue, everything looks great to me.
Configuration follows:
As my LAN gateway at home already provides me with OpenVPN capabilities, I thought it might be fun to connect to my LAN and access for example my mail.
So in a nutshell I'm trying to establish the following scenario
I'm able to reach the LAN behind my LAN gateway from my VM over OpenVPN, and the reverse way is working as well.
Unfortunately I'm unable to extend that functionality to the IOS. From IOS I can ping the tun0 ip address provided by OpenVPN but I'm unable to manage to get any packet in that OpenVPN tunnel to show up on the other side at the LAN gateway. tcpdump is not showing any life sign at all.
According to the documentation Policy-Based Routing is the way to go, according to pf.conf(5) I got route-to and reply-to at my disposal, but I haven't figured out yet how to utilise them.
Any advice would be highly appreciated.
Thank you in advance.
has anyone experience in this area ?
I got a VM instanced deployed running FreeBSD 13.2 latest updates and StrongSwan. StrongSwan has been configured using the provided documentation in an IKEv2 road warrior scenario, authentication is done by EAP-MSCHAPv2.
I can connect with my client (IOS) and surf the Internet without any issue, everything looks great to me.
Configuration follows:
Code:
#/usr/local/etc/swanctl/conf.d/ikev2.conf
pools {
ikev2-rw {
addrs=10.0.10.0/24
dns=8.8.8.8
}
}
connections {
rw-ikev2-mschapv2 {
version=2
encap=yes
send_cert=always
proposals=aes128-aes192-aes256-sha1-sha256-sha384-modp1024,default
pools=ikev2-rw
local-1 {
auth=pubkey
certs=server.crt
id=@server.mydomain.com
}
remote-1 {
auth=eap-mschapv2
eap_id=%any
}
children {
rw-ikev2-mschapv2 {
local_ts=0.0.0.0/0
}
}
}
}
secrets {
eap-1 {
id=alice@wonderland.com
secret=t34p4rtY
}
}
authorities {
}
Code:
# /usr/local/etc/pf.conf
ext_if = "vtnet0"
set skip on { lo }
scrub in all fragment reassemble max-mss 1440
nat on $ext_if inet from 10.0.10.0/24 to any -> ($ext_if)
antispoof quick for { lo $ext_if }
block log all
pass in proto tcp from { <MY_IP_ADDR> } to port ssh
pass in proto udp to port { isakmp ipsec-nat-t }
pass in inet proto icmp from 10.0.10.0/24 icmp-type { echoreq, unreach }
pass in inet proto udp from 10.0.10.0/24 to port 33433 >< 33626
pass in inet proto { tcp udp } from 10.0.10.0/24
pass out inet proto icmp icmp-type { echoreq, unreach }
pass out inet proto udp to port 33433 >< 33626
pass out all
As my LAN gateway at home already provides me with OpenVPN capabilities, I thought it might be fun to connect to my LAN and access for example my mail.
So in a nutshell I'm trying to establish the following scenario
Code:
IOS (Internet) -> IKEv2 tunnel -> VM-StrongSwan(Internet) -> OpenVPN tunnel -> LAN Gateway (OpenVPN Server) -> LAN IMAP Server
I'm able to reach the LAN behind my LAN gateway from my VM over OpenVPN, and the reverse way is working as well.
Unfortunately I'm unable to extend that functionality to the IOS. From IOS I can ping the tun0 ip address provided by OpenVPN but I'm unable to manage to get any packet in that OpenVPN tunnel to show up on the other side at the LAN gateway. tcpdump is not showing any life sign at all.
According to the documentation Policy-Based Routing is the way to go, according to pf.conf(5) I got route-to and reply-to at my disposal, but I haven't figured out yet how to utilise them.
Any advice would be highly appreciated.
Thank you in advance.