Given a remote (centralized) VPN server with a StrongSwan IKEv2 setup with external static IP:
- centralized server internal IP 192.168.1.65, network 192.168.1.64/27
And two gateways doing NAT for internal networks:
- first gateway internal IP 192.168.1.33, network: 192.168.1.32/27;
- second gateway internal IP 192.168.1.1, network: 192.168.1.0/27;
Gateways are connected to centralized server also using StrongSwan.
Connection works perfectly from gateways to server and from server to gateways: ping works, access to services on the server/gateways. Devices behind gateways also can access server without problems.
The problem begins when I'm trying to access computers between different gateways.
Configurations:
centralized:
conn base
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
left = centralized
leftid = @centralized
leftauth = pubkey
leftca = "..."
leftcert = centralized.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.65
right = %any
rightauth = pubkey
rightauth2 = psk
rightca = %same
conn gateway-first
auto = add
rightid = @gateway-first
rightcert = gateway-first.crt
rightsubnet = 192.168.1.32/27
rightsourceip = 192.168.1.66
also = base
conn gateway-second
auto = add
rightid = @gateway-second
rightcert = gateway-second.crt
rightsubnet = 192.168.1.0/27
rightsourceip = 192.168.1.67
also = base
gateway-first:
conn gateway-first
auto = route
dpdaction = restart
closeaction = restart
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
rightid = @centralized
right = centralized
rightauth = pubkey
rightca = "..."
rightcert = centralized.crt
rightsubnet = 192.168.1.65,192.168.1.0/27
leftid = @gateway-first
left = %defaultroute
leftauth = pubkey
leftauth2 = psk
leftca = %same
leftcert = gateway-first.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.32/27
leftsourceip = %config4
gateway-second:
conn gateway-second
auto = route
dpdaction = restart
closeaction = restart
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
rightid = @centralized
right = centralized
rightauth = pubkey
rightca = "..."
rightcert = centralized.crt
rightsubnet = 192.168.1.65,192.168.1.32/27
leftid = @gateway-second
left = %defaultroute
leftauth = pubkey
leftauth2 = psk
leftca = %same
leftcert = gateway-second.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.1/27
leftsourceip = %config4
When trying to ping gateway-second from computer behind gateway-first (source computer IP is 192.168.1.40) and running tcpdump on centralized server in the same time shows:
tcpdump -i eth0 host 192.168.1.1 -n
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:27:49.030650 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 35, length 64
21:27:50.026652 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 36, length 64
21:27:51.031805 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 37, length 64
21:27:52.041165 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 38, length 64
21:27:53.029530 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 39, length 64
So, according to this log packets are arrived to the centralized server, but never forwarded to the 192.168.1.1.
On the centralized server and both gateways I've enabled forwarding:
net.ipv4.ip_forward = 1
Routing table on centralized server:
# ip route
default via yy.yy.yy.yy dev eth0 proto static
zz.zz.zz.zz dev eth0 proto kernel scope link src xx.xx.xx.xx
192.168.1.64/27 via 192.168.1.65 dev eth1 proto static
And also route table #220 (VPN):
# ip route show table 220
192.168.1.0/27 via 5.189.141.1 dev eth0 proto static src 192.168.1.65
192.168.1.32/27 via 5.189.141.1 dev eth0 proto static src 192.168.1.65
Any ideas how to enable forwarding between two different tunnels?
ip r