StrongSWAN Routing Issue

Issues related to configuring your network
Post Reply
DanielLeeP
Posts: 8
Joined: 2017/10/02 06:16:50

StrongSWAN Routing Issue

Post by DanielLeeP » 2017/10/02 06:34:28

Alright so i have been at this for about 6 - 8 hours now i have tried everything i can think of to get this VPN Server running including turning off my Firewall completely on the Linux System and it is still refusing to work i have a StrongSWAN VPN Setup i used an Automated script to install it i will reference it later I know the Public IP of the server but i am unsure about the Private IP i am assuming it is correct because built in windows VPN connects to it fine with the settings that are in the configuration file but the issue is it says there is no internet connection it is verified but says there is not an internet connection.

here is to content of my /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup
uniqueids=no
charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
dpdaction=clear
dpddelay=300s
rekey=no
left=%defaultroute
leftfirewall=yes
right=%any
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
auto=add

#######################################
# L2TP Connections
#######################################

conn L2TP-IKEv1-PSK
type=transport
keyexchange=ikev1
authby=secret
leftprotoport=udp/l2tp
left=%any
right=%any
rekey=no
forceencaps=yes

#######################################
# Default non L2TP Connections
#######################################

conn Non-L2TP
leftsubnet=0.0.0.0/0
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.0/24

#######################################
# EAP Connections
#######################################

# This detects a supported EAP method
conn IKEv2-EAP
also=Non-L2TP
keyexchange=ikev2
eap_identity=%any
rightauth=eap-dynamic

#######################################
# PSK Connections
#######################################

conn IKEv2-PSK
also=Non-L2TP
keyexchange=ikev2
authby=secret

# Cisco IPSec
conn IKEv1-PSK-XAuth
also=Non-L2TP
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
and my /etc/xl2tpd.conf file contents
[global]
port = 1701
auth file = /etc/ppp/chap-secrets
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
[lns default]
ip range = 10.1.0.2-10.1.0.254
local ip = 10.1.0.1
require chap = yes
refuse pap = yes
require authentication = no
name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
iptables configuration
# Generated by iptables-save v1.4.7 on Mon Oct 2 01:49:34 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [444:44850]
-A INPUT -s 10.0.0.0/24 -i ppp0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
COMMIT
# Completed on Mon Oct 2 01:49:34 2017
# Generated by iptables-save v1.4.7 on Mon Oct 2 01:49:34 2017
*nat
:PREROUTING ACCEPT [10:1020]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j SNAT --to-source 158.69.206.22
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -j SNAT --to-source 158.69.206.22
-A POSTROUTING -j SNAT --to-source 10.0.0.0
-A POSTROUTING -j SNAT --to-source 10.1.0.1
COMMIT
# Completed on Mon Oct 2 01:49:34 2017

As stated previously even with the firewall turned off the VPN still has no internet access
/etc/rc.local file contents
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/etc/sysctl.conf file contents
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
#
# Use '/sbin/sysctl -a' to list all possible parameters.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
and the output of getinfo.sh
Information for general problems.

Code: Select all

== BEGIN uname -rmi ==
2.6.32-696.6.3.el6.x86_64 x86_64 x86_64
== END   uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
epel-release-6-8.noarch
centos-release-6-9.el6.12.3.x86_64
== END   rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 6.9 (Final)
== END   cat /etc/redhat-release ==

== BEGIN getenforce ==
Disabled
== END   getenforce ==

== BEGIN free -m ==
             total       used       free     shared    buffers     cached
Mem:          3736        860       2875          0         44        677
-/+ buffers/cache:        138       3597
Swap:            0          0          0
== END   free -m ==

== BEGIN rpm -qa yum\* rpm-\* python | sort ==
python-2.6.6-66.el6_8.x86_64
rpm-libs-4.8.0-55.el6.x86_64
rpm-python-4.8.0-55.el6.x86_64
yum-3.2.29-81.el6.centos.noarch
yum-metadata-parser-1.1.2-16.el6.x86_64
yum-plugin-fastestmirror-1.1.30-40.el6.noarch
yum-plugin-security-1.1.30-40.el6.noarch
yum-utils-1.1.30-40.el6.noarch
== END   rpm -qa yum\* rpm-\* python | sort ==

== BEGIN ls /etc/yum.repos.d ==
CentOS-Base.repo
CentOS-Debuginfo.repo
CentOS-fasttrack.repo
CentOS-Media.repo
CentOS-Vault.repo
CentOS-Vault.repo.rpmnew
epel.repo
epel-testing.repo
== END   ls /etc/yum.repos.d ==

== BEGIN cat /etc/yum.conf ==
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=19&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

#  This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
#  It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
== END   cat /etc/yum.conf ==

== BEGIN yum repolist all ==
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * epel: mirror.csclub.uwaterloo.ca
repo id                repo name                                 status
C6.0-base              CentOS-6.0 - Base                         disabled
C6.0-centosplus        CentOS-6.0 - CentOSPlus                   disabled
C6.0-contrib           CentOS-6.0 - Contrib                      disabled
C6.0-extras            CentOS-6.0 - Extras                       disabled
C6.0-updates           CentOS-6.0 - Updates                      disabled
C6.1-base              CentOS-6.1 - Base                         disabled
C6.1-centosplus        CentOS-6.1 - CentOSPlus                   disabled
C6.1-contrib           CentOS-6.1 - Contrib                      disabled
C6.1-extras            CentOS-6.1 - Extras                       disabled
C6.1-updates           CentOS-6.1 - Updates                      disabled
C6.2-base              CentOS-6.2 - Base                         disabled
C6.2-centosplus        CentOS-6.2 - CentOSPlus                   disabled
C6.2-contrib           CentOS-6.2 - Contrib                      disabled
C6.2-extras            CentOS-6.2 - Extras                       disabled
C6.2-updates           CentOS-6.2 - Updates                      disabled
C6.3-base              CentOS-6.3 - Base                         disabled
C6.3-centosplus        CentOS-6.3 - CentOSPlus                   disabled
C6.3-contrib           CentOS-6.3 - Contrib                      disabled
C6.3-extras            CentOS-6.3 - Extras                       disabled
C6.3-updates           CentOS-6.3 - Updates                      disabled
C6.4-base              CentOS-6.4 - Base                         disabled
C6.4-centosplus        CentOS-6.4 - CentOSPlus                   disabled
C6.4-contrib           CentOS-6.4 - Contrib                      disabled
C6.4-extras            CentOS-6.4 - Extras                       disabled
C6.4-updates           CentOS-6.4 - Updates                      disabled
C6.5-base              CentOS-6.5 - Base                         disabled
C6.5-centosplus        CentOS-6.5 - CentOSPlus                   disabled
C6.5-contrib           CentOS-6.5 - Contrib                      disabled
C6.5-extras            CentOS-6.5 - Extras                       disabled
C6.5-updates           CentOS-6.5 - Updates                      disabled
C6.6-base              CentOS-6.6 - Base                         disabled
C6.6-centosplus        CentOS-6.6 - CentOSPlus                   disabled
C6.6-contrib           CentOS-6.6 - Contrib                      disabled
C6.6-extras            CentOS-6.6 - Extras                       disabled
C6.6-updates           CentOS-6.6 - Updates                      disabled
base                   CentOS-6 - Base                           enabled:  6,706
base-debuginfo         CentOS-6 - Debuginfo                      disabled
c6-media               CentOS-6 - Media                          disabled
centosplus             CentOS-6 - Plus                           disabled
contrib                CentOS-6 - Contrib                        disabled
*epel                  Extra Packages for Enterprise Linux 6 - x enabled: 12,407
epel-debuginfo         Extra Packages for Enterprise Linux 6 - x disabled
epel-source            Extra Packages for Enterprise Linux 6 - x disabled
epel-testing           Extra Packages for Enterprise Linux 6 - T disabled
epel-testing-debuginfo Extra Packages for Enterprise Linux 6 - T disabled
epel-testing-source    Extra Packages for Enterprise Linux 6 - T disabled
extras                 CentOS-6 - Extras                         enabled:     46
fasttrack              CentOS-6 - fasttrack                      disabled
updates                CentOS-6 - Updates                        enabled:    663
repolist: 19,822
== END   yum repolist all ==

== BEGIN egrep 'include|exclude' /etc/yum.repos.d/*.repo ==
== END   egrep 'include|exclude' /etc/yum.repos.d/*.repo ==

== BEGIN sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==
== END   sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==

== BEGIN cat /etc/fstab ==

#
# /etc/fstab
# Created by anaconda on Fri Mar  3 14:56:02 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/sda1 /                       ext4    errors=remount-ro,discard        1 1
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
== END   cat /etc/fstab ==

== BEGIN df -h ==
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1        50G  1.7G   45G   4% /
tmpfs           1.9G     0  1.9G   0% /dev/shm
== END   df -h ==

== BEGIN fdisk -lu ==

Disk /dev/sda: 53.7 GB, 53687091200 bytes
105 heads, 43 sectors/track, 23224 cylinders, total 104857600 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000352e8

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048   104857599    52427776   83  Linux
== END   fdisk -lu ==

== BEGIN blkid ==
/dev/sda1: UUID="7e192559-d669-4919-840b-4c9a846fafa7" TYPE="ext4" 
== END   blkid ==

== BEGIN cat /proc/mdstat ==
Personalities : 
unused devices: <none>
== END   cat /proc/mdstat ==

== BEGIN pvs ==
== END   pvs ==

== BEGIN vgs ==
== END   vgs ==

== BEGIN lvs ==
== END   lvs ==

== BEGIN rpm -qa kernel\* | sort ==
kernel-2.6.32-642.15.1.el6.x86_64
kernel-2.6.32-642.el6.x86_64
kernel-2.6.32-696.10.3.el6.x86_64
kernel-2.6.32-696.6.3.el6.x86_64
kernel-firmware-2.6.32-696.10.3.el6.noarch
kernel-headers-2.6.32-696.10.3.el6.x86_64
== END   rpm -qa kernel\* | sort ==

== BEGIN lspci -nn ==
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
00:01.1 IDE interface [0101]: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II] [8086:7010]
00:01.2 USB controller [0c03]: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] [8086:7020] (rev 01)
00:01.3 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 03)
00:02.0 VGA compatible controller [0300]: Cirrus Logic GD 5446 [1013:00b8]
00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000]
00:04.0 SCSI storage controller [0100]: Red Hat, Inc Virtio SCSI [1af4:1004]
00:05.0 Unclassified device [00ff]: Red Hat, Inc Virtio memory balloon [1af4:1002]
== END   lspci -nn ==

== BEGIN lsusb ==
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd 
== END   lsusb ==

== BEGIN rpm -qa kmod\* kmdl\* ==
== END   rpm -qa kmod\* kmdl\* ==

== BEGIN ifconfig -a ==
eth0      Link encap:Ethernet  HWaddr FA:16:3E:A4:A9:E9  
          inet addr:158.69.206.22  Bcast:158.69.206.22  Mask:255.255.255.255
          inet6 addr: fe80::f816:3eff:fea4:a9e9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49069 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39741 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:122720380 (117.0 MiB)  TX bytes:5625202 (5.3 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.1.0.1  P-t-P:10.1.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:41373 (40.4 KiB)  TX bytes:86 (86.0 b)

== END   ifconfig -a ==

== BEGIN brctl show ==
bridge name	bridge id		STP enabled	interfaces
== END   brctl show ==

== BEGIN route -n ==
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
158.69.192.1    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.1.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
0.0.0.0         158.69.192.1    0.0.0.0         UG    0      0        0 eth0
== END   route -n ==

== BEGIN sysctl -a | grep .rp_filter ==
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.ppp0.rp_filter = 1
net.ipv4.conf.ppp0.arp_filter = 0
== END   sysctl -a | grep .rp_filter ==

== BEGIN ip rule show ==
0:	from all lookup local 
220:	from all lookup 220 
32766:	from all lookup main 
32767:	from all lookup default 
== END   ip rule show ==

== BEGIN ip route show ==
158.69.192.1 dev eth0  scope link 
10.1.0.2 dev ppp0  proto kernel  scope link  src 10.1.0.1 
default via 158.69.192.1 dev eth0 
== END   ip route show ==

== BEGIN cat /etc/resolv.conf ==
; generated by /sbin/dhclient-script
search local vps.ovh.ca
nameserver 213.186.33.99
== END   cat /etc/resolv.conf ==

== BEGIN egrep 'net|hosts' /etc/nsswitch.conf ==
#hosts:     db files nisplus nis dns
hosts:      files dns
#networks:   nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     
netmasks:   files
networks:   files
netgroup:   nisplus
== END   egrep 'net|hosts' /etc/nsswitch.conf ==

== BEGIN chkconfig --list | grep -Ei 'network|wpa' ==
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
== END   chkconfig --list | grep -Ei 'network|wpa' ==

If anyone could help me resolve this that would be awesome like i said i have been going at this for the better part of 6+ hours now

DanielLeeP
Posts: 8
Joined: 2017/10/02 06:16:50

Re: StrongSWAN Routing Issue

Post by DanielLeeP » 2017/10/02 19:57:56

Worked on it a bit today and still nothing so if anyone has any suggestions that would be great i've had it set up on a VPS through this provider before but i can't remember how i got it working the last time.

DanielLeeP
Posts: 8
Joined: 2017/10/02 06:16:50

Re: StrongSWAN Routing Issue

Post by DanielLeeP » 2017/10/03 00:08:17

i've also tried this
# Generated by iptables-save v1.4.7 on Mon Oct 2 19:44:56 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [481:54022]
-A INPUT -s 10.0.0.0/24 -i ppp0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
COMMIT
# Completed on Mon Oct 2 19:44:56 2017
# Generated by iptables-save v1.4.7 on Mon Oct 2 19:44:56 2017
*nat
:PREROUTING ACCEPT [1:32]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -j SNAT --to-source 158.69.206.22
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -j SNAT --to-source 158.69.206.22
-A POSTROUTING -j SNAT --to-source 10.0.0.0
-A POSTROUTING -j SNAT --to-source 10.1.0.1
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 2 19:44:56 2017
Stil to no avail I have no clue how the heck to get this thing working tried forwarding the connection through iptables dunno if i did it right but that is essentially what i tried so far and still nothing the VPN Connects but it still says no internet access. And it is not masking my IP like it did last time i set it up.

DanielLeeP
Posts: 8
Joined: 2017/10/02 06:16:50

Re: StrongSWAN Routing Issue

Post by DanielLeeP » 2017/10/03 00:40:38

this is the ipconfig/all output from me pc
PPP adapter VPN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.0.0(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Post Reply