How can I route all traffic through strongSwan VPN?What iptables rules do I need for strongSwan clients?Strongswan vpn tunnel connected but the traffic is not routed through itAWS StrongSwan IPSec VPNRoute all traffic through StrongSwan VPNStrongswan VPN tunnel between two AWS instances won't connectHow to redirect traffic through IPv6 IPSec (strongswan) gateway?How can I secure all traffic using strongSwan/IPSec except SSH access?Routing specific traffic through StrongSwan VPNLEDE 17.01.1, StrongSwan 5.6.0 swanctl NATHow to configure StrongSwan vpn server as a routerstrongswan route traffic to specified IPs only

How to use memset in c++?

How to safely destroy (a large quantity of) valid checks?

貧しい【まずしい】 poor 貧乏【びんぼう】な poor What's the difference?

Thread Pool C++ Implementation

Is it safe to change the harddrive power feature so that it never turns off?

Why 1,2 printed by a command in $() is not interpolated?

I have a problematic assistant manager, but I can't fire him

Warning about needing "authorization" when booking ticket

How did old MS-DOS games utilize various graphic cards?

LuaLaTex - how to use number, computed later in the document

Is it legal for a bar bouncer to confiscate a fake ID

Which languages would be most useful in Europe at the end of the 19th century?

Writing an augmented sixth chord on the flattened supertonic

Who enforces MPAA rating adherence?

Who are the Missing Members of this Noble Family?

Why we don’t make use of the t-distribution for constructing a confidence interval for a proportion?

A word that means "blending into a community too much"

Why does the Mishnah use the terms poor person and homeowner when discussing carrying on Shabbat?

Determining fair price for profitable mobile app business

How to handle (one's own) self-harm scars (on the arm), in a work environment?

Heap allocation on microcontroller

Overlapping String-Blocks

Is it possible to fly backward if you have 'really strong' headwind?

What to do when surprise and a high initiative roll conflict with the narrative?



How can I route all traffic through strongSwan VPN?


What iptables rules do I need for strongSwan clients?Strongswan vpn tunnel connected but the traffic is not routed through itAWS StrongSwan IPSec VPNRoute all traffic through StrongSwan VPNStrongswan VPN tunnel between two AWS instances won't connectHow to redirect traffic through IPv6 IPSec (strongswan) gateway?How can I secure all traffic using strongSwan/IPSec except SSH access?Routing specific traffic through StrongSwan VPNLEDE 17.01.1, StrongSwan 5.6.0 swanctl NATHow to configure StrongSwan vpn server as a routerstrongswan route traffic to specified IPs only






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















Server ipsec.conf



config setup
 charondebug="ike 1, knl 1, cfg 0"
 uniqueids=never

conn ikev2
 auto=add
 compress=no
 type=tunnel
 keyexchange=ikev2
 fragmentation=yes
 forceencaps=yes
 ike=aes256gcm16-sha384-modp3072!
 esp=aes256gcm16-sha384-modp3072!
 dpdaction=clear
 dpddelay=300s
 rekey=no
 left=%any
 leftid=my-vpn.com
 leftcert=vpn-server.crt
 leftsendcert=always
 leftsubnet=0.0.0.0/0
 right=%any
 rightid=%any
 rightauth=eap-tls
 rightdns=1.1.1.1,1.0.0.1
 rightsourceip=10.0.2.0/24
 rightsendcert=never
 eap_identity=%identity


Server iptables -S



-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


Client ipsec.conf



conn ikev2
 auto=start
 leftid=client@my-vpn.com
 leftsourceip=%config
 leftauth=eap-tls
 leftcert=vpn-client.crt
 right=my-vpn.com
 rightid=my-vpn.com
 rightauth=pubkey


Client iptables -S



-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



Also, can’t SSH to client from server. Why?



Thanks!






strongswan







share|improve this question




























    0















    Server ipsec.conf



    config setup
     charondebug="ike 1, knl 1, cfg 0"
     uniqueids=never

    conn ikev2
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     ike=aes256gcm16-sha384-modp3072!
     esp=aes256gcm16-sha384-modp3072!
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=my-vpn.com
     leftcert=vpn-server.crt
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightauth=eap-tls
     rightdns=1.1.1.1,1.0.0.1
     rightsourceip=10.0.2.0/24
     rightsendcert=never
     eap_identity=%identity


    Server iptables -S



    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --dport 500 -j ACCEPT
    -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
    -A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
    -A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


    Client ipsec.conf



    conn ikev2
     auto=start
     leftid=client@my-vpn.com
     leftsourceip=%config
     leftauth=eap-tls
     leftcert=vpn-client.crt
     right=my-vpn.com
     rightid=my-vpn.com
     rightauth=pubkey


    Client iptables -S



    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


    The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



    Also, can’t SSH to client from server. Why?



    Thanks!






    strongswan







    share|improve this question
























      0












      0








      0








      Server ipsec.conf



      config setup
       charondebug="ike 1, knl 1, cfg 0"
       uniqueids=never

      conn ikev2
       auto=add
       compress=no
       type=tunnel
       keyexchange=ikev2
       fragmentation=yes
       forceencaps=yes
       ike=aes256gcm16-sha384-modp3072!
       esp=aes256gcm16-sha384-modp3072!
       dpdaction=clear
       dpddelay=300s
       rekey=no
       left=%any
       leftid=my-vpn.com
       leftcert=vpn-server.crt
       leftsendcert=always
       leftsubnet=0.0.0.0/0
       right=%any
       rightid=%any
       rightauth=eap-tls
       rightdns=1.1.1.1,1.0.0.1
       rightsourceip=10.0.2.0/24
       rightsendcert=never
       eap_identity=%identity


      Server iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 500 -j ACCEPT
      -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
      -A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
      -A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      Client ipsec.conf



      conn ikev2
       auto=start
       leftid=client@my-vpn.com
       leftsourceip=%config
       leftauth=eap-tls
       leftcert=vpn-client.crt
       right=my-vpn.com
       rightid=my-vpn.com
       rightauth=pubkey


      Client iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



      Also, can’t SSH to client from server. Why?



      Thanks!






      strongswan







      share|improve this question














      Server ipsec.conf



      config setup
       charondebug="ike 1, knl 1, cfg 0"
       uniqueids=never

      conn ikev2
       auto=add
       compress=no
       type=tunnel
       keyexchange=ikev2
       fragmentation=yes
       forceencaps=yes
       ike=aes256gcm16-sha384-modp3072!
       esp=aes256gcm16-sha384-modp3072!
       dpdaction=clear
       dpddelay=300s
       rekey=no
       left=%any
       leftid=my-vpn.com
       leftcert=vpn-server.crt
       leftsendcert=always
       leftsubnet=0.0.0.0/0
       right=%any
       rightid=%any
       rightauth=eap-tls
       rightdns=1.1.1.1,1.0.0.1
       rightsourceip=10.0.2.0/24
       rightsendcert=never
       eap_identity=%identity


      Server iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 500 -j ACCEPT
      -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
      -A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
      -A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      Client ipsec.conf



      conn ikev2
       auto=start
       leftid=client@my-vpn.com
       leftsourceip=%config
       leftauth=eap-tls
       leftcert=vpn-client.crt
       right=my-vpn.com
       rightid=my-vpn.com
       rightauth=pubkey


      Client iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



      Also, can’t SSH to client from server. Why?



      Thanks!






      strongswan




      strongswan






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked May 23 at 18:34









      sunknudsensunknudsen

      347




      347




















          1 Answer
          1






          active

          oldest

          votes


















          1














          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer























          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968613%2fhow-can-i-route-all-traffic-through-strongswan-vpn%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer























          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22















          1














          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer























          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22













          1












          1








          1







          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer













          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 24 at 7:41









          ecdsaecdsa

          2,231916




          2,231916












          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22

















          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22
















          Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

          – sunknudsen
          May 24 at 11:01





          Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

          – sunknudsen
          May 24 at 11:01













          I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

          – sunknudsen
          May 24 at 11:04





          I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

          – sunknudsen
          May 24 at 11:04













          It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

          – sunknudsen
          May 24 at 11:12





          It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

          – sunknudsen
          May 24 at 11:12













          SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

          – sunknudsen
          May 24 at 11:22





          SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

          – sunknudsen
          May 24 at 11:22

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968613%2fhow-can-i-route-all-traffic-through-strongswan-vpn%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

          Image
          centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
          Read more

          Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

          Image
          AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
          Read more

          What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

          Image
          When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
          Read more