I'm new to this – please excuse my ignorance. I have looked through many other similar questions to no avail.
Trying to set up a StrongSwan VPN such that client C can connect to host H, be assigned a virtual IP address, and access H's network. (Due to practical limitations while I set up and test, C and H are currently on the same network – in fact they are VMs on the same physical PC, with the network in Bridged mode, so they get their own IP addresses.)
Using StrongSwan 5.3.0, Ubuntu 14.04 (on both C and H).
I run ipsec up home
on C and the connection appears to be established. H can ping the virtual IP address assigned to C (192.168.0.1) and C can see the pings going to its virtual IP address (confirmed using tcpdump).
However, as far as I can make out, all traffic on C still goes straight out through C's network connection, not through the tunnel — if I run tcpdump ip proto \\icmp
on a third, test, server (T), and ping it from C, I see the requests with C's real IP address. The same is true if I do a wget
from C to T.
My config follows:
# /etc/ipsec.conf on the host (H)
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw
left=192.168.196.50
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftfirewall=yes
right=%any
rightsourceip=192.168.0.0/16
auto=add
–
# /etc/ipsec.conf – on the client (C)
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=192.168.198.74
leftsourceip=%config
leftcert=carolCert.pem
leftid=carol@strongswan.org
leftfirewall=yes
right=192.168.196.50
rightid=@moon.strongswan.org
auto=add
H's real IP address is 192.168.196.50.
C's real IP address is 192.168.198.74.
Best Answer
I needed to run
on the host to cause it to route the traffic out.
My client C can now see other machines on the local network, and SOME (but not all, which I don't understand) on the internet.