StrongSWAN Routing Issue
Posted: 2017/10/02 06:34:28
Alright so i have been at this for about 6 - 8 hours now i have tried everything i can think of to get this VPN Server running including turning off my Firewall completely on the Linux System and it is still refusing to work i have a StrongSWAN VPN Setup i used an Automated script to install it i will reference it later I know the Public IP of the server but i am unsure about the Private IP i am assuming it is correct because built in windows VPN connects to it fine with the settings that are in the configuration file but the issue is it says there is no internet connection it is verified but says there is not an internet connection.
here is to content of my /etc/ipsec.conf
here is to content of my /etc/ipsec.conf
and my /etc/xl2tpd.conf file contents# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=no
charondebug="cfg 2, dmn 2, ike 2, net 0"
conn %default
dpdaction=clear
dpddelay=300s
rekey=no
left=%defaultroute
leftfirewall=yes
right=%any
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
auto=add
#######################################
# L2TP Connections
#######################################
conn L2TP-IKEv1-PSK
type=transport
keyexchange=ikev1
authby=secret
leftprotoport=udp/l2tp
left=%any
right=%any
rekey=no
forceencaps=yes
#######################################
# Default non L2TP Connections
#######################################
conn Non-L2TP
leftsubnet=0.0.0.0/0
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.0/24
#######################################
# EAP Connections
#######################################
# This detects a supported EAP method
conn IKEv2-EAP
also=Non-L2TP
keyexchange=ikev2
eap_identity=%any
rightauth=eap-dynamic
#######################################
# PSK Connections
#######################################
conn IKEv2-PSK
also=Non-L2TP
keyexchange=ikev2
authby=secret
# Cisco IPSec
conn IKEv1-PSK-XAuth
also=Non-L2TP
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
iptables configuration[global]
port = 1701
auth file = /etc/ppp/chap-secrets
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes
[lns default]
ip range = 10.1.0.2-10.1.0.254
local ip = 10.1.0.1
require chap = yes
refuse pap = yes
require authentication = no
name = l2tpd
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/rc.local file contents# Generated by iptables-save v1.4.7 on Mon Oct 2 01:49:34 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [444:44850]
-A INPUT -s 10.0.0.0/24 -i ppp0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1701 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth0 -j ACCEPT
COMMIT
# Completed on Mon Oct 2 01:49:34 2017
# Generated by iptables-save v1.4.7 on Mon Oct 2 01:49:34 2017
*nat
:PREROUTING ACCEPT [10:1020]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -j SNAT --to-source 158.69.206.22
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -j SNAT --to-source 158.69.206.22
-A POSTROUTING -j SNAT --to-source 10.0.0.0
-A POSTROUTING -j SNAT --to-source 10.1.0.1
COMMIT
# Completed on Mon Oct 2 01:49:34 2017
As stated previously even with the firewall turned off the VPN still has no internet access
/etc/sysctl.conf file contents#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
and the output of getinfo.sh# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
#
# Use '/sbin/sysctl -a' to list all possible parameters.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
If anyone could help me resolve this that would be awesome like i said i have been going at this for the better part of 6+ hours nowInformation for general problems.Code: Select all
== BEGIN uname -rmi == 2.6.32-696.6.3.el6.x86_64 x86_64 x86_64 == END uname -rmi == == BEGIN rpm -qa \*-release\* == epel-release-6-8.noarch centos-release-6-9.el6.12.3.x86_64 == END rpm -qa \*-release\* == == BEGIN cat /etc/redhat-release == CentOS release 6.9 (Final) == END cat /etc/redhat-release == == BEGIN getenforce == Disabled == END getenforce == == BEGIN free -m == total used free shared buffers cached Mem: 3736 860 2875 0 44 677 -/+ buffers/cache: 138 3597 Swap: 0 0 0 == END free -m == == BEGIN rpm -qa yum\* rpm-\* python | sort == python-2.6.6-66.el6_8.x86_64 rpm-libs-4.8.0-55.el6.x86_64 rpm-python-4.8.0-55.el6.x86_64 yum-3.2.29-81.el6.centos.noarch yum-metadata-parser-1.1.2-16.el6.x86_64 yum-plugin-fastestmirror-1.1.30-40.el6.noarch yum-plugin-security-1.1.30-40.el6.noarch yum-utils-1.1.30-40.el6.noarch == END rpm -qa yum\* rpm-\* python | sort == == BEGIN ls /etc/yum.repos.d == CentOS-Base.repo CentOS-Debuginfo.repo CentOS-fasttrack.repo CentOS-Media.repo CentOS-Vault.repo CentOS-Vault.repo.rpmnew epel.repo epel-testing.repo == END ls /etc/yum.repos.d == == BEGIN cat /etc/yum.conf == [main] cachedir=/var/cache/yum/$basearch/$releasever keepcache=0 debuglevel=2 logfile=/var/log/yum.log exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 installonly_limit=5 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=19&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release # This is the default, if you make this bigger yum won't see if the metadata # is newer on the remote and so you'll "gain" the bandwidth of not having to # download the new metadata and "pay" for it by yum not having correct # information. # It is esp. important, to have correct metadata, for distributions like # Fedora which don't keep old packages around. If you don't like this checking # interupting your command line usage, it's much better to have something # manually check the metadata once an hour (yum-updatesd will do this). # metadata_expire=90m # PUT YOUR REPOS HERE OR IN separate files named file.repo # in /etc/yum.repos.d == END cat /etc/yum.conf == == BEGIN yum repolist all == Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * epel: mirror.csclub.uwaterloo.ca repo id repo name status C6.0-base CentOS-6.0 - Base disabled C6.0-centosplus CentOS-6.0 - CentOSPlus disabled C6.0-contrib CentOS-6.0 - Contrib disabled C6.0-extras CentOS-6.0 - Extras disabled C6.0-updates CentOS-6.0 - Updates disabled C6.1-base CentOS-6.1 - Base disabled C6.1-centosplus CentOS-6.1 - CentOSPlus disabled C6.1-contrib CentOS-6.1 - Contrib disabled C6.1-extras CentOS-6.1 - Extras disabled C6.1-updates CentOS-6.1 - Updates disabled C6.2-base CentOS-6.2 - Base disabled C6.2-centosplus CentOS-6.2 - CentOSPlus disabled C6.2-contrib CentOS-6.2 - Contrib disabled C6.2-extras CentOS-6.2 - Extras disabled C6.2-updates CentOS-6.2 - Updates disabled C6.3-base CentOS-6.3 - Base disabled C6.3-centosplus CentOS-6.3 - CentOSPlus disabled C6.3-contrib CentOS-6.3 - Contrib disabled C6.3-extras CentOS-6.3 - Extras disabled C6.3-updates CentOS-6.3 - Updates disabled C6.4-base CentOS-6.4 - Base disabled C6.4-centosplus CentOS-6.4 - CentOSPlus disabled C6.4-contrib CentOS-6.4 - Contrib disabled C6.4-extras CentOS-6.4 - Extras disabled C6.4-updates CentOS-6.4 - Updates disabled C6.5-base CentOS-6.5 - Base disabled C6.5-centosplus CentOS-6.5 - CentOSPlus disabled C6.5-contrib CentOS-6.5 - Contrib disabled C6.5-extras CentOS-6.5 - Extras disabled C6.5-updates CentOS-6.5 - Updates disabled C6.6-base CentOS-6.6 - Base disabled C6.6-centosplus CentOS-6.6 - CentOSPlus disabled C6.6-contrib CentOS-6.6 - Contrib disabled C6.6-extras CentOS-6.6 - Extras disabled C6.6-updates CentOS-6.6 - Updates disabled base CentOS-6 - Base enabled: 6,706 base-debuginfo CentOS-6 - Debuginfo disabled c6-media CentOS-6 - Media disabled centosplus CentOS-6 - Plus disabled contrib CentOS-6 - Contrib disabled *epel Extra Packages for Enterprise Linux 6 - x enabled: 12,407 epel-debuginfo Extra Packages for Enterprise Linux 6 - x disabled epel-source Extra Packages for Enterprise Linux 6 - x disabled epel-testing Extra Packages for Enterprise Linux 6 - T disabled epel-testing-debuginfo Extra Packages for Enterprise Linux 6 - T disabled epel-testing-source Extra Packages for Enterprise Linux 6 - T disabled extras CentOS-6 - Extras enabled: 46 fasttrack CentOS-6 - fasttrack disabled updates CentOS-6 - Updates enabled: 663 repolist: 19,822 == END yum repolist all == == BEGIN egrep 'include|exclude' /etc/yum.repos.d/*.repo == == END egrep 'include|exclude' /etc/yum.repos.d/*.repo == == BEGIN sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n == == END sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n == == BEGIN cat /etc/fstab == # # /etc/fstab # Created by anaconda on Fri Mar 3 14:56:02 2017 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/sda1 / ext4 errors=remount-ro,discard 1 1 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 == END cat /etc/fstab == == BEGIN df -h == Filesystem Size Used Avail Use% Mounted on /dev/sda1 50G 1.7G 45G 4% / tmpfs 1.9G 0 1.9G 0% /dev/shm == END df -h == == BEGIN fdisk -lu == Disk /dev/sda: 53.7 GB, 53687091200 bytes 105 heads, 43 sectors/track, 23224 cylinders, total 104857600 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x000352e8 Device Boot Start End Blocks Id System /dev/sda1 * 2048 104857599 52427776 83 Linux == END fdisk -lu == == BEGIN blkid == /dev/sda1: UUID="7e192559-d669-4919-840b-4c9a846fafa7" TYPE="ext4" == END blkid == == BEGIN cat /proc/mdstat == Personalities : unused devices: <none> == END cat /proc/mdstat == == BEGIN pvs == == END pvs == == BEGIN vgs == == END vgs == == BEGIN lvs == == END lvs == == BEGIN rpm -qa kernel\* | sort == kernel-2.6.32-642.15.1.el6.x86_64 kernel-2.6.32-642.el6.x86_64 kernel-2.6.32-696.10.3.el6.x86_64 kernel-2.6.32-696.6.3.el6.x86_64 kernel-firmware-2.6.32-696.10.3.el6.noarch kernel-headers-2.6.32-696.10.3.el6.x86_64 == END rpm -qa kernel\* | sort == == BEGIN lspci -nn == 00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02) 00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000] 00:01.1 IDE interface [0101]: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II] [8086:7010] 00:01.2 USB controller [0c03]: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] [8086:7020] (rev 01) 00:01.3 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 03) 00:02.0 VGA compatible controller [0300]: Cirrus Logic GD 5446 [1013:00b8] 00:03.0 Ethernet controller [0200]: Red Hat, Inc Virtio network device [1af4:1000] 00:04.0 SCSI storage controller [0100]: Red Hat, Inc Virtio SCSI [1af4:1004] 00:05.0 Unclassified device [00ff]: Red Hat, Inc Virtio memory balloon [1af4:1002] == END lspci -nn == == BEGIN lsusb == Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd == END lsusb == == BEGIN rpm -qa kmod\* kmdl\* == == END rpm -qa kmod\* kmdl\* == == BEGIN ifconfig -a == eth0 Link encap:Ethernet HWaddr FA:16:3E:A4:A9:E9 inet addr:158.69.206.22 Bcast:158.69.206.22 Mask:255.255.255.255 inet6 addr: fe80::f816:3eff:fea4:a9e9/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:49069 errors:0 dropped:0 overruns:0 frame:0 TX packets:39741 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:122720380 (117.0 MiB) TX bytes:5625202 (5.3 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ppp0 Link encap:Point-to-Point Protocol inet addr:10.1.0.1 P-t-P:10.1.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1 RX packets:236 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:41373 (40.4 KiB) TX bytes:86 (86.0 b) == END ifconfig -a == == BEGIN brctl show == bridge name bridge id STP enabled interfaces == END brctl show == == BEGIN route -n == Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 158.69.192.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 10.1.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 0.0.0.0 158.69.192.1 0.0.0.0 UG 0 0 0 eth0 == END route -n == == BEGIN sysctl -a | grep .rp_filter == net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.ppp0.rp_filter = 1 net.ipv4.conf.ppp0.arp_filter = 0 == END sysctl -a | grep .rp_filter == == BEGIN ip rule show == 0: from all lookup local 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default == END ip rule show == == BEGIN ip route show == 158.69.192.1 dev eth0 scope link 10.1.0.2 dev ppp0 proto kernel scope link src 10.1.0.1 default via 158.69.192.1 dev eth0 == END ip route show == == BEGIN cat /etc/resolv.conf == ; generated by /sbin/dhclient-script search local vps.ovh.ca nameserver 213.186.33.99 == END cat /etc/resolv.conf == == BEGIN egrep 'net|hosts' /etc/nsswitch.conf == #hosts: db files nisplus nis dns hosts: files dns #networks: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files netmasks: files networks: files netgroup: nisplus == END egrep 'net|hosts' /etc/nsswitch.conf == == BEGIN chkconfig --list | grep -Ei 'network|wpa' == network 0:off 1:off 2:on 3:on 4:on 5:on 6:off == END chkconfig --list | grep -Ei 'network|wpa' ==