Connexion VPN IPsec and access other server

[davkiller]

Hello,

I have a server (192.168.12.16).

On this server, i have a lot of jail :

192.168.12.140 (server web)

192.168.12.180 (server web)

192.168.12.225 (server web)


I work on freebsd in my home (192.168.110.15).

I creat VPN IPsec with mpd5 and strongswan.

My connexion vpn is good, i can to connect on 192.168.12.16 with ssh.


Now i want to connect too on other server because i want to use connexion vpn for to work on phpmyadmin.

When i do ping on 192.168.12.140 or other, i lose the packets.

Why ?
i don't have firewall.

Thank you for your help

 

[D-FENS]

1. Can you connect from the server to the jails? Login to 192.168.12.16 and try to ping 192.168.12.140.
2. Make sure you have activated IP forwarding:

Chapter 34. Advanced Networking

Advanced networking in FreeBSD: basics of gateways and routes, CARP, how to configure multiple VLANs on FreeBSD, etc

www.freebsd.org

Put this in /etc/rc.conf on your server:
gateway_enable="YES"

 

[SirDice]

roccobaroccoSC You're linking to a page from 3.5-RELEASE. I'm pretty sure that's not entirely valid any more.

davkiller How did you configure strongswan? You have to supply the correct local_ts and remote_ts networks.

connections {
  gw-gw {
    local_addrs = A.A.A.A
    remote_addrs = B.B.B.B

    local {
      auth = psk
      id = home.example.com
    }

    remote {
      auth = psk
      id = myserver.example.com
    }

    children {
      net-net {
        local_ts = 192.168.10.0/24,192.168.11.0/24
        remote_ts = 192.168.21.0/24

        esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
        dpd_action = restart
        start_action = start
      }
    }
    version = 2
    proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
  }
}

My home network has two segments 192.168.10.0/24 and 192.168.11.0/24, my remote server has a local network with all the jails on 192.168.21.0/24.

 

[SirDice]

The 'other' side of the tunnel has the exact same configuration, only the various 'remote' and 'local' definitions are swapped. What's 'local' on one side is 'remote' on the other side.

For addition information, that bit of code is saved as /usr/local/etc/swanctl/conf.d/connections.conf. I also have a secrets.conf with the PSK defined:

secrets {
  ike-1 {
    id-home = home.example.com
    id-myserver = myserver.example.com
    secret = "somesupersecretpassword"
  }
}

If everything is set up correctly you should see something like this:

root@maelcum:/usr/local/etc # swanctl --list-conns
gw-gw: IKEv2, no reauthentication, rekeying every 14400s
  local:  A.A.A.A
  remote: B.B.B.B
  local pre-shared key authentication:
    id: home.example.com
  remote pre-shared key authentication:
    id: myserver.example.com
  net-net: TUNNEL, rekeying every 3600s
    local:  192.168.10.0/24 192.168.11.0/24
    remote: 192.168.21.0/24

Take note of the tunnel networks, those show the only traffic that's allowed through the tunnel.

 

[davkiller]

actually, I did not configure the strongswan.conf file, it was edited by default.
To be sure to understand, in attachment a photo of the configuration of the file, with my questions.

thank you in advance for your help

PS: i can to connect on ssh 192.168.12.16 with 192.168.110.15 and i can ping 192.168.12.140 and other.

 

[SirDice]

The local_addrs is the internet IP address of your side, the remote_addrs is the internet IP of the remove site. In my example I've used A.A.A.A and B.B.B.B, so the tunnel will be set up between those addresses. The local_ts and remote_ts define which networks are allowed inside the tunnel.

The id are just labels, I've used the actual hostnames to make them easier to identify.

 

[obsigna]

davkiller, are you still employing net/mpd5 together with security/strongswan or do you now use strongSwan alone for setting up the VPN? In the first case, this most probably means that you want to establisch L2TP/IPsec connections, and then the IPsec part must be IKEv1 in transport mode. On the other hand, if you want to setup IKEv2-VPN’s usually for connecting Windows clients, then you would follow the advices of SirDice.

In the MPD5 case, try to add set iface enable proxy-arp in the L2TP bundle configuration in your /usr/local/etc/mpd5/mpd.conf.

 

[davkiller]

Thank you for your help, but i can't to see network 192.168.12.140 and other.
I decide to show my configuration, perhaps i make error on config on my server 192.168.12.16
/usr/local/etc/ipsec.conf :

conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   ike = aes256-sha1-modp1024

   leftauth = psk
   left = %defaultroute
   leftprotoport=17/1701

   rightauth = psk
   right = %any
   rightprotoport=17/%any

   auto = add

i use mpd5.
/usr/local/etc/mpd5/mpd.conf :

startup:
# configure mpd users
        set user admin MyPasswordVPN admin
# configure the console
        set console self 127.0.0.1 5005
        set console open
# configure the web server
        set web self 192.168.12.16 5006
        set web open

default:
        load l2tp_server

l2tp_server:
# Define dynamic IP address pool -- 192.168.1.128/26
        set ippool add pool_l2tp 192.168.12.128 192.168.12.191

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set bundle enable compression
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment
        set ipcp ranges 192.168.12.16/32 ippool pool_l2tp
        set ipcp dns 8.8.8.8

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
        set link action bundle B_l2tp
        set link mtu 1400
        set link keep-alive 0 0
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap-msv2

# Configure L2TP
        set l2tp self 0.0.0.0
        set l2tp disable dataseq

# Allow to accept calls
        set link enable incoming

/usr/local/etc/mpd.secret

user password

/usr/local/etc/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file
: PSK "Mon Identifiants PSK Vpn IPsec de mon serveur 2019"

/usr/local/etc/strongswan.conf

cat /usr/local/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon 
{
        load_modular = yes
        plugins
         {
                include strongswan.d/charon/*.conf
        }

   install_routes = no
   process_route = no

   syslog
   {
      identifier = ipsec
      daemon
      {
         ike_name = yes
      }
   }
}

/etc/rc.conf

fsck_y_enable="YES"
dumpdev="AUTO"
sshd_enable="YES"
ntpd_enable="YES"
defaultrouter="163.172.*.1"
ntpd_sync_on_start="YES"
local_unbound_enable="YES"
ifconfig_igb0="DHCP"

ifconfig_igb0_alias0="inet 192.168.12.16 netmask 255.255.255.0" 
ifconfig_igb0_alias1="inet 192.168.12.180  netmask 255.255.255.0"
ifconfig_igb0_alias2="inet 192.168.12.140  netmask 255.255.255.0"
ifconfig_igb0_alias3="inet 192.168.12.225  netmask 255.255.255.0"

ifconfig_igb1="DHCP"

hostname="orion"

jail_enable="YES"   
jail_list=""    
sendmail_submit_enable="YES"

linux_enable="YES"
gateway_enable="YES"

strongswan_enable="YES"
mpd_enable="YES"

gateway_enable="YES"

on my home with desktop freebsd 192.168.110.15
/etc/rc.conf

clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="uranus"
keymap="fr.acc.kbd"
ifconfig_re0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
kld_list="/boot/modules/i915kms.ko"
dbus_enable="YES"
fsck_y_enable="YES"

mpd_enable="YES"

/usr/local/etc/ipsec.conf

flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0[1701] any -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0 any -P in ipsec esp/transport//require;

cat /usr/local/etc/ipsec.secrets

: PSK "Mon Identifiants PSK Vpn IPsec de mon serveur 2019"

/usr/local/etc/mpd5/mpd.conf

startup:
      # Set web self 127.0.0.1 5008
      # Set user vpntest vpntest admin
      # Set web open
log +ALL +EVENTS -FRAME -ECHO
default:
      load L2TP_client

L2TP_client:
        create bundle static B1
        create link static L1 l2tp
        set link action bundle B1
        set auth authname "user"
        set auth password "MyPassword"
        set link max-redial 0
        set link mtu 1400
        set link keep-alive 20 75

        set l2tp peer IP_Wan_SERVER
        open

cat /usr/local/etc/mpd5/mpd.secret

User MyPassword

/usr/local/etc/strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
 load_modular = yes
 plugins {
  include strongswan.d/charon/*.conf
 }
}

include strongswan.d/*.conf
connections {
  gw-gw {
    local_addrs = A.A.A.A
    remote_addrs = B.B.B.B

    local {
      auth = psk
      id = HOME
    }

    remote {
      auth = psk
      id = SERVER
    }

    children {
      net-net {
        local_ts = 192.168.110.0/24,192.168.8.0/24
        remote_ts = 192.168.12.0/24

        esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
        dpd_action = restart
        start_action = start
      }
    }
    version = 2
    proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
  }
}

 

[obsigna]

On the client you most probably need to add a route to the whole network 192.168.12.0/24. When MPD5 etablishes its interface it adds a route only to the IP address of the peer.

Try the following on the client, once the L2TP/IPsec connection has been established:
route add -net 192.168.12.0/24 192.168.12.16

If this works, you would put this into the script which brings up the L2TP/IPsec VPN connection as the last step. And to the VPN takedown script you would add the following as the first command:
route delete -net 192.168.12.0/24

PS: There is also a mpd.conf setting which achieves the same and is therefore more elegant. Add to the L2TP bundle configuration in the client's /usr/local/etc/mpd5/mpd.conf the following routing directive, set iface route 192.168.12.0/24

 

[D-FENS]

roccobaroccoSC You're linking to a page from 3.5-RELEASE. I'm pretty sure that's not entirely valid any more.

Sorry, my bad. The information in the page is still valid but it is indeed quite an old docu. I changed the link.

 

[hukadan]

I changed the link.

You changed the text of the link but not the link itself .

 

[davkiller]

Thank you all, i can connect all jail with 192.168.110.15.
I can work now ;-)
Thank you very much