Connexion VPN IPsec and access other server

davkiller

Member


Messages: 21

Hello,

I have a server (192.168.12.16).

On this server, i have a lot of jail :

192.168.12.140 (server web)

192.168.12.180 (server web)

192.168.12.225 (server web)


I work on freebsd in my home (192.168.110.15).

I creat VPN IPsec with mpd5 and strongswan.

My connexion vpn is good, i can to connect on 192.168.12.16 with ssh.


Now i want to connect too on other server because i want to use connexion vpn for to work on phpmyadmin.

When i do ping on 192.168.12.140 or other, i lose the packets.

Why ?
i don't have firewall.

Thank you for your help
 

roccobaroccoSC

Well-Known Member

Reaction score: 96
Messages: 426

1. Can you connect from the server to the jails? Login to 192.168.12.16 and try to ping 192.168.12.140.
2. Make sure you have activated IP forwarding: Put this in /etc/rc.conf on your server:
gateway_enable="YES"
 
Last edited:

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

roccobaroccoSC You're linking to a page from 3.5-RELEASE. I'm pretty sure that's not entirely valid any more.

davkiller How did you configure strongswan? You have to supply the correct local_ts and remote_ts networks.

Code:
connections {
  gw-gw {
    local_addrs = A.A.A.A
    remote_addrs = B.B.B.B

    local {
      auth = psk
      id = home.example.com
    }

    remote {
      auth = psk
      id = myserver.example.com
    }

    children {
      net-net {
        local_ts = 192.168.10.0/24,192.168.11.0/24
        remote_ts = 192.168.21.0/24

        esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
        dpd_action = restart
        start_action = start
      }
    }
    version = 2
    proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
  }
}
My home network has two segments 192.168.10.0/24 and 192.168.11.0/24, my remote server has a local network with all the jails on 192.168.21.0/24.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

The 'other' side of the tunnel has the exact same configuration, only the various 'remote' and 'local' definitions are swapped. What's 'local' on one side is 'remote' on the other side.

For addition information, that bit of code is saved as /usr/local/etc/swanctl/conf.d/connections.conf. I also have a secrets.conf with the PSK defined:
Code:
secrets {
  ike-1 {
    id-home = home.example.com
    id-myserver = myserver.example.com
    secret = "somesupersecretpassword"
  }
}
If everything is set up correctly you should see something like this:
Code:
root@maelcum:/usr/local/etc # swanctl --list-conns
gw-gw: IKEv2, no reauthentication, rekeying every 14400s
  local:  A.A.A.A
  remote: B.B.B.B
  local pre-shared key authentication:
    id: home.example.com
  remote pre-shared key authentication:
    id: myserver.example.com
  net-net: TUNNEL, rekeying every 3600s
    local:  192.168.10.0/24 192.168.11.0/24
    remote: 192.168.21.0/24
Take note of the tunnel networks, those show the only traffic that's allowed through the tunnel.
 
OP
OP
D

davkiller

Member


Messages: 21

actually, I did not configure the strongswan.conf file, it was edited by default.
To be sure to understand, in attachment a photo of the configuration of the file, with my questions.

thank you in advance for your help

PS: i can to connect on ssh 192.168.12.16 with 192.168.110.15 and i can ping 192.168.12.140 and other.
 

Attachments

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

The local_addrs is the internet IP address of your side, the remote_addrs is the internet IP of the remove site. In my example I've used A.A.A.A and B.B.B.B, so the tunnel will be set up between those addresses. The local_ts and remote_ts define which networks are allowed inside the tunnel.

The id are just labels, I've used the actual hostnames to make them easier to identify.
 

obsigna

Aspiring Daemon

Reaction score: 560
Messages: 957

davkiller, are you still employing net/mpd5 together with security/strongswan or do you now use strongSwan alone for setting up the VPN? In the first case, this most probably means that you want to establisch L2TP/IPsec connections, and then the IPsec part must be IKEv1 in transport mode. On the other hand, if you want to setup IKEv2-VPN’s usually for connecting Windows clients, then you would follow the advices of SirDice.

In the MPD5 case, try to add set iface enable proxy-arp in the L2TP bundle configuration in your /usr/local/etc/mpd5/mpd.conf.
 
OP
OP
D

davkiller

Member


Messages: 21

Thank you for your help, but i can't to see network 192.168.12.140 and other.
I decide to show my configuration, perhaps i make error on config on my server 192.168.12.16
/usr/local/etc/ipsec.conf :
Code:
conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   ike = aes256-sha1-modp1024

   leftauth = psk
   left = %defaultroute
   leftprotoport=17/1701

   rightauth = psk
   right = %any
   rightprotoport=17/%any

   auto = add
i use mpd5.
/usr/local/etc/mpd5/mpd.conf :
Code:
startup:
# configure mpd users
        set user admin MyPasswordVPN admin
# configure the console
        set console self 127.0.0.1 5005
        set console open
# configure the web server
        set web self 192.168.12.16 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool -- 192.168.1.128/26
        set ippool add pool_l2tp 192.168.12.128 192.168.12.191

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set bundle enable compression
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment
        set ipcp ranges 192.168.12.16/32 ippool pool_l2tp
        set ipcp dns 8.8.8.8

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
        set link action bundle B_l2tp
        set link mtu 1400
        set link keep-alive 0 0
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap-msv2

# Configure L2TP
        set l2tp self 0.0.0.0
        set l2tp disable dataseq

# Allow to accept calls
        set link enable incoming
/usr/local/etc/mpd.secret
Code:
user password
/usr/local/etc/ipsec.secrets
Code:
# ipsec.secrets - strongSwan IPsec secrets file
: PSK "Mon Identifiants PSK Vpn IPsec de mon serveur 2019"
/usr/local/etc/strongswan.conf
Code:
cat /usr/local/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon 
{
        load_modular = yes
        plugins
         {
                include strongswan.d/charon/*.conf
        }

   install_routes = no
   process_route = no

   syslog
   {
      identifier = ipsec
      daemon
      {
         ike_name = yes
      }
   }
}
/etc/rc.conf
Code:
fsck_y_enable="YES"
dumpdev="AUTO"
sshd_enable="YES"
ntpd_enable="YES"
defaultrouter="163.172.*.1"
ntpd_sync_on_start="YES"
local_unbound_enable="YES"
ifconfig_igb0="DHCP"

ifconfig_igb0_alias0="inet 192.168.12.16 netmask 255.255.255.0" 
ifconfig_igb0_alias1="inet 192.168.12.180  netmask 255.255.255.0"
ifconfig_igb0_alias2="inet 192.168.12.140  netmask 255.255.255.0"
ifconfig_igb0_alias3="inet 192.168.12.225  netmask 255.255.255.0"

ifconfig_igb1="DHCP"

hostname="orion"

jail_enable="YES"   
jail_list=""    
sendmail_submit_enable="YES"

linux_enable="YES"
gateway_enable="YES"

strongswan_enable="YES"
mpd_enable="YES"

gateway_enable="YES"
on my home with desktop freebsd 192.168.110.15
/etc/rc.conf
Code:
clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="uranus"
keymap="fr.acc.kbd"
ifconfig_re0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
kld_list="/boot/modules/i915kms.ko"
dbus_enable="YES"
fsck_y_enable="YES"

mpd_enable="YES"
/usr/local/etc/ipsec.conf
Code:
flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0[1701] any -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0 any -P in ipsec esp/transport//require;
cat /usr/local/etc/ipsec.secrets
Code:
: PSK "Mon Identifiants PSK Vpn IPsec de mon serveur 2019"
/usr/local/etc/mpd5/mpd.conf
Code:
startup:
      # Set web self 127.0.0.1 5008
      # Set user vpntest vpntest admin
      # Set web open
log +ALL +EVENTS -FRAME -ECHO
default:
      load L2TP_client

L2TP_client:
        create bundle static B1
        create link static L1 l2tp
        set link action bundle B1
        set auth authname "user"
        set auth password "MyPassword"
        set link max-redial 0
        set link mtu 1400
        set link keep-alive 20 75

        set l2tp peer IP_Wan_SERVER
        open
cat /usr/local/etc/mpd5/mpd.secret
Code:
User MyPassword
/usr/local/etc/strongswan.conf
Code:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
 load_modular = yes
 plugins {
  include strongswan.d/charon/*.conf
 }
}

include strongswan.d/*.conf
connections {
  gw-gw {
    local_addrs = A.A.A.A
    remote_addrs = B.B.B.B

    local {
      auth = psk
      id = HOME
    }

    remote {
      auth = psk
      id = SERVER
    }

    children {
      net-net {
        local_ts = 192.168.110.0/24,192.168.8.0/24
        remote_ts = 192.168.12.0/24

        esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
        dpd_action = restart
        start_action = start
      }
    }
    version = 2
    proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
  }
}
 

Attachments

obsigna

Aspiring Daemon

Reaction score: 560
Messages: 957

On the client you most probably need to add a route to the whole network 192.168.12.0/24. When MPD5 etablishes its interface it adds a route only to the IP address of the peer.

Try the following on the client, once the L2TP/IPsec connection has been established:
route add -net 192.168.12.0/24 192.168.12.16

If this works, you would put this into the script which brings up the L2TP/IPsec VPN connection as the last step. And to the VPN takedown script you would add the following as the first command:
route delete -net 192.168.12.0/24

PS: There is also a mpd.conf setting which achieves the same and is therefore more elegant. Add to the L2TP bundle configuration in the client's /usr/local/etc/mpd5/mpd.conf the following routing directive, set iface route 192.168.12.0/24
 
Top