Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to allow the the clients to access the local LAN #56

Open
gustavohellwig opened this issue Apr 7, 2018 · 1 comment
Open

How to allow the the clients to access the local LAN #56

gustavohellwig opened this issue Apr 7, 2018 · 1 comment

Comments

@gustavohellwig
Copy link

gustavohellwig commented Apr 7, 2018

Hi,
Everything looks good in my environment. The clients can get an IP address from the DHCP Server and can go to LAN and WAN without any problem, but.....all the clients get the same IP address from the DHCP Server. I have tested with another DHCP Server (1st was a Firewall DHCP and 2nd was a Windows Server DHCP) and it's the same.

My Config files are:
/etc/ipsec.conf

config setup
strictcrlpolicy=no
uniqueids=never
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
esp=aes256gcm16-sha256!
dpdaction=clear
dpddelay=180s
rekey=no

left=%any
[email protected]
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0

right=%any
rightid=%any
rightauth=eap-mschapv2
eap_identity=%any
rightdns=dns1 ip address, dns2 IP address
rightsourceip=%dhcp
rightsendcert=never
/etc/sysctl.d/99-strongswan.conf

net.ipv4.ip_forward=1
/etc/strongswan.d/charon/dhcp.conf

dhcp {
force_server_address = yes
identity_lease = yes
interface = eth0
load = yes
server = 10.10.0.1 #DHCP IP address
}
charon {
load_modular = yes
dns1 = dns 1 ip address
dns2 = dns 2 ip address
plugins {
include strongswan.d/charon/*.conf
attr {
split-include = 10.10.0.0/16 # Send only traffic destined to leftsubnet to the tunnel interface
split-exclude = 0.0.0.0/0 # Mac OS X client responsible for routing all non-tunnel traffic elsewhere
28674 = rva.org
dns = dns 1 ip address, dns 2 ip address
}
}
}

include strongswan.d/*.conf
IPTABLES
#PS: That is not my config, but I tested with that to make sure that there is nothing wrong with it.

#Clean IP Tables

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
Questions 1: How to fix that the DHCP gives a different IP address to each VPN Client ?

Like...I made a test using rightsourceip=10.10.1.247/32 and the client works with no problem, but for the firewall, looks like the connection comes from the server. The server have free access to the internet, but the Clients should auth first.

How to change the way that the VPN Client go to the LAN, to because a normal client ?
Or how to fix the DHCP Issue that gives the same IP address to all the VPN Client?

@gustavohellwig
Copy link
Author

Thoughts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants