IKEv2-setup icon indicating copy to clipboard operation
IKEv2-setup copied to clipboard
verified publisher icon jawj

How to allow the the clients to access the local LAN

Open gustavohellwig opened this issue 7 years ago • 1 comments

Hi, Everything looks good in my environment. The clients can get an IP address from the DHCP Server and can go to LAN and WAN without any problem, but.....all the clients get the same IP address from the DHCP Server. I have tested with another DHCP Server (1st was a Firewall DHCP and 2nd was a Windows Server DHCP) and it's the same.

My Config files are: /etc/ipsec.conf

config setup strictcrlpolicy=no uniqueids=never charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" conn roadwarrior auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384! esp=aes256gcm16-sha256! dpdaction=clear dpddelay=180s rekey=no

left=%any [email protected] leftcert=cert.pem leftsendcert=always leftsubnet=0.0.0.0/0

right=%any rightid=%any rightauth=eap-mschapv2 eap_identity=%any rightdns=dns1 ip address, dns2 IP address rightsourceip=%dhcp rightsendcert=never /etc/sysctl.d/99-strongswan.conf

net.ipv4.ip_forward=1 /etc/strongswan.d/charon/dhcp.conf

dhcp { force_server_address = yes identity_lease = yes interface = eth0 load = yes server = 10.10.0.1 #DHCP IP address } charon { load_modular = yes dns1 = dns 1 ip address dns2 = dns 2 ip address plugins { include strongswan.d/charon/*.conf attr { split-include = 10.10.0.0/16 # Send only traffic destined to leftsubnet to the tunnel interface split-exclude = 0.0.0.0/0 # Mac OS X client responsible for routing all non-tunnel traffic elsewhere 28674 = rva.org dns = dns 1 ip address, dns 2 ip address } } }

include strongswan.d/*.conf IPTABLES #PS: That is not my config, but I tested with that to make sure that there is nothing wrong with it.

#Clean IP Tables

iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Questions 1: How to fix that the DHCP gives a different IP address to each VPN Client ?

Like...I made a test using rightsourceip=10.10.1.247/32 and the client works with no problem, but for the firewall, looks like the connection comes from the server. The server have free access to the internet, but the Clients should auth first.

How to change the way that the VPN Client go to the LAN, to because a normal client ? Or how to fix the DHCP Issue that gives the same IP address to all the VPN Client?

gustavohellwig avatar Apr 07 '18 21:04 gustavohellwig

Thoughts

gustavohellwig avatar Apr 09 '18 11:04 gustavohellwig