How can I route all traffic through strongSwan VPN?What iptables rules do I need for strongSwan clients?Strongswan vpn tunnel connected but the traffic is not routed through itAWS StrongSwan IPSec VPNRoute all traffic through StrongSwan VPNStrongswan VPN tunnel between two AWS instances won't connectHow to redirect traffic through IPv6 IPSec (strongswan) gateway?How can I secure all traffic using strongSwan/IPSec except SSH access?Routing specific traffic through StrongSwan VPNLEDE 17.01.1, StrongSwan 5.6.0 swanctl NATHow to configure StrongSwan vpn server as a routerstrongswan route traffic to specified IPs only

How to use memset in c++?

How to safely destroy (a large quantity of) valid checks?

貧しい【まずしい】 poor 貧乏【びんぼう】な poor What's the difference?

Thread Pool C++ Implementation

Is it safe to change the harddrive power feature so that it never turns off?

Why 1,2 printed by a command in $() is not interpolated?

I have a problematic assistant manager, but I can't fire him

Warning about needing "authorization" when booking ticket

How did old MS-DOS games utilize various graphic cards?

LuaLaTex - how to use number, computed later in the document

Is it legal for a bar bouncer to confiscate a fake ID

Which languages would be most useful in Europe at the end of the 19th century?

Writing an augmented sixth chord on the flattened supertonic

Who enforces MPAA rating adherence?

Who are the Missing Members of this Noble Family?

Why we don’t make use of the t-distribution for constructing a confidence interval for a proportion?

A word that means "blending into a community too much"

Why does the Mishnah use the terms poor person and homeowner when discussing carrying on Shabbat?

Determining fair price for profitable mobile app business

How to handle (one's own) self-harm scars (on the arm), in a work environment?

Heap allocation on microcontroller

Overlapping String-Blocks

Is it possible to fly backward if you have 'really strong' headwind?

What to do when surprise and a high initiative roll conflict with the narrative?



How can I route all traffic through strongSwan VPN?


What iptables rules do I need for strongSwan clients?Strongswan vpn tunnel connected but the traffic is not routed through itAWS StrongSwan IPSec VPNRoute all traffic through StrongSwan VPNStrongswan VPN tunnel between two AWS instances won't connectHow to redirect traffic through IPv6 IPSec (strongswan) gateway?How can I secure all traffic using strongSwan/IPSec except SSH access?Routing specific traffic through StrongSwan VPNLEDE 17.01.1, StrongSwan 5.6.0 swanctl NATHow to configure StrongSwan vpn server as a routerstrongswan route traffic to specified IPs only






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















Server ipsec.conf



config setup
 charondebug="ike 1, knl 1, cfg 0"
 uniqueids=never

conn ikev2
 auto=add
 compress=no
 type=tunnel
 keyexchange=ikev2
 fragmentation=yes
 forceencaps=yes
 ike=aes256gcm16-sha384-modp3072!
 esp=aes256gcm16-sha384-modp3072!
 dpdaction=clear
 dpddelay=300s
 rekey=no
 left=%any
 leftid=my-vpn.com
 leftcert=vpn-server.crt
 leftsendcert=always
 leftsubnet=0.0.0.0/0
 right=%any
 rightid=%any
 rightauth=eap-tls
 rightdns=1.1.1.1,1.0.0.1
 rightsourceip=10.0.2.0/24
 rightsendcert=never
 eap_identity=%identity


Server iptables -S



-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


Client ipsec.conf



conn ikev2
 auto=start
 leftid=client@my-vpn.com
 leftsourceip=%config
 leftauth=eap-tls
 leftcert=vpn-client.crt
 right=my-vpn.com
 rightid=my-vpn.com
 rightauth=pubkey


Client iptables -S



-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



Also, can’t SSH to client from server. Why?



Thanks!






strongswan







share|improve this question




























    0















    Server ipsec.conf



    config setup
     charondebug="ike 1, knl 1, cfg 0"
     uniqueids=never

    conn ikev2
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     ike=aes256gcm16-sha384-modp3072!
     esp=aes256gcm16-sha384-modp3072!
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=my-vpn.com
     leftcert=vpn-server.crt
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightauth=eap-tls
     rightdns=1.1.1.1,1.0.0.1
     rightsourceip=10.0.2.0/24
     rightsendcert=never
     eap_identity=%identity


    Server iptables -S



    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p udp -m udp --dport 500 -j ACCEPT
    -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
    -A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
    -A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


    Client ipsec.conf



    conn ikev2
     auto=start
     leftid=client@my-vpn.com
     leftsourceip=%config
     leftauth=eap-tls
     leftcert=vpn-client.crt
     right=my-vpn.com
     rightid=my-vpn.com
     rightauth=pubkey


    Client iptables -S



    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


    The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



    Also, can’t SSH to client from server. Why?



    Thanks!






    strongswan







    share|improve this question
























      0












      0








      0








      Server ipsec.conf



      config setup
       charondebug="ike 1, knl 1, cfg 0"
       uniqueids=never

      conn ikev2
       auto=add
       compress=no
       type=tunnel
       keyexchange=ikev2
       fragmentation=yes
       forceencaps=yes
       ike=aes256gcm16-sha384-modp3072!
       esp=aes256gcm16-sha384-modp3072!
       dpdaction=clear
       dpddelay=300s
       rekey=no
       left=%any
       leftid=my-vpn.com
       leftcert=vpn-server.crt
       leftsendcert=always
       leftsubnet=0.0.0.0/0
       right=%any
       rightid=%any
       rightauth=eap-tls
       rightdns=1.1.1.1,1.0.0.1
       rightsourceip=10.0.2.0/24
       rightsendcert=never
       eap_identity=%identity


      Server iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 500 -j ACCEPT
      -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
      -A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
      -A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      Client ipsec.conf



      conn ikev2
       auto=start
       leftid=client@my-vpn.com
       leftsourceip=%config
       leftauth=eap-tls
       leftcert=vpn-client.crt
       right=my-vpn.com
       rightid=my-vpn.com
       rightauth=pubkey


      Client iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



      Also, can’t SSH to client from server. Why?



      Thanks!






      strongswan







      share|improve this question














      Server ipsec.conf



      config setup
       charondebug="ike 1, knl 1, cfg 0"
       uniqueids=never

      conn ikev2
       auto=add
       compress=no
       type=tunnel
       keyexchange=ikev2
       fragmentation=yes
       forceencaps=yes
       ike=aes256gcm16-sha384-modp3072!
       esp=aes256gcm16-sha384-modp3072!
       dpdaction=clear
       dpddelay=300s
       rekey=no
       left=%any
       leftid=my-vpn.com
       leftcert=vpn-server.crt
       leftsendcert=always
       leftsubnet=0.0.0.0/0
       right=%any
       rightid=%any
       rightauth=eap-tls
       rightdns=1.1.1.1,1.0.0.1
       rightsourceip=10.0.2.0/24
       rightsendcert=never
       eap_identity=%identity


      Server iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p udp -m udp --dport 500 -j ACCEPT
      -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
      -A FORWARD -s 10.0.2.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
      -A FORWARD -d 10.0.2.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      Client ipsec.conf



      conn ikev2
       auto=start
       leftid=client@my-vpn.com
       leftsourceip=%config
       leftauth=eap-tls
       leftcert=vpn-client.crt
       right=my-vpn.com
       rightid=my-vpn.com
       rightauth=pubkey


      Client iptables -S



      -P INPUT DROP
      -P FORWARD DROP
      -P OUTPUT DROP
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A OUTPUT -o lo -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
      -A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
      -A OUTPUT -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
      -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


      The connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). How can I route all traffic through the VPN?



      Also, can’t SSH to client from server. Why?



      Thanks!






      strongswan




      strongswan






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked May 23 at 18:34









      sunknudsensunknudsen

      347




      347




















          1 Answer
          1






          active

          oldest

          votes


















          1














          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer























          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968613%2fhow-can-i-route-all-traffic-through-strongswan-vpn%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer























          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22















          1














          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer























          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22













          1












          1








          1







          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.






          share|improve this answer













          You want to configure rightsubet=0.0.0.0/0 on the client. The default is %dynamic, which resolves to the VPN server's IP address, so only traffic to that will then be tunneled.



          Regarding SSH, you need to check the traffic counters (IPsec SAs, firewall rules) to see in which direction that traffic does or doesn't flow.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 24 at 7:41









          ecdsaecdsa

          2,231916




          2,231916












          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22

















          • Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

            – sunknudsen
            May 24 at 11:01











          • I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

            – sunknudsen
            May 24 at 11:04











          • It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

            – sunknudsen
            May 24 at 11:12











          • SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

            – sunknudsen
            May 24 at 11:22
















          Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

          – sunknudsen
          May 24 at 11:01





          Tried rightsubnet=0.0.0.0/0, but still getting public IP of client. Also, about SSH, I can SSH out to the server’s using public IP but not using its DHCP IP on same subnet as client 10.0.2.0/24. Ideas? Thanks!

          – sunknudsen
          May 24 at 11:01













          I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

          – sunknudsen
          May 24 at 11:04





          I guess iOS does all the magic behind the scene to route all traffic through the VPN when a provisioning profile is configured. Having a hard time achieving the same on Linux. Trying to achieve the same as medium.com/@sunknudsen/….

          – sunknudsen
          May 24 at 11:04













          It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

          – sunknudsen
          May 24 at 11:12





          It’s working! I had missed a NO_PROPOSAL_CHOSEN error in the logs. Had to add ike=aes256gcm16-sha384-modp3072! and esp=aes256gcm16-sha384-modp3072! to the client ipsec.conf as the server is enforcing strong crypto. Still having issues with SSH. Will report back here once I figure it out. Thanks @ecdsa!

          – sunknudsen
          May 24 at 11:12













          SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

          – sunknudsen
          May 24 at 11:22





          SSH is working. Once above NO_PROPOSAL_CHOSEN error was mitigated, had to add the server’s SSH pub key to the client to fix Permission denied (publickey). error. Also had to allow outbound SSH requests on the server using iptables -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT. The whole setup is hardened so very little is allowed by default.

          – sunknudsen
          May 24 at 11:22

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968613%2fhow-can-i-route-all-traffic-through-strongswan-vpn%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

          Image
          Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975As...
          Read more

          Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

          Image
          Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
          Read more

          Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

          Image
          OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
          Read more