Estou tentando migrar meu servidor VPN strongSwan para uma nova máquina, mas isso não funciona.
Meu endereço IP público é dinâmico e eu uso o DDNS para acessar minha rede doméstica de fora. Quando estabeleço uma conexão VPN, somente o servidor e o cliente podem se ver. Não consigo acessar meu servidor a partir da rede local, mas apenas do cliente VPN.
ipsec.conf
:
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
compress = yes
fragmentation = yes
left = ******.ddns.net
leftallowany = yes
leftauth = pubkey
leftcert = vpnHostCert.pem
leftsendcert = ifasked
leftsubnet = **.**.**.0/24
right = %any
conn S4-IKEv2-EAP
rightauth = eap-md5
rightid = mys4
rightsourceip = **.**.**.99
keyexchange = ikev2
auto = add
conn Windows7-RSA-Cert
rightauth = eap-tls
rightsendcert = never
rightsourceip = **.**.**.98
eap_identity = %any
keyexchange = ikev2
auto = add
ipsec.secrets
:
: RSA vpnHostKey.pem
: PSK xxxxx
mys4 : EAP xxxxx
strongswan.conf
:
charon {
load_modular = no
dns1 = **.**.**.1
plugins {
*lots of plugins loaded*
}
}
ipsec statusall
:
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-32-generic, x86_64):
uptime: 9 minutes, since Aug 19 14:05:50 2018
malloc: sbrk 2703360, mmap 0, used 608784, free 2094576
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9
loaded plugins: charon aes sha2 sha1 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pem gmp curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-dynamic eap-tls eap-peap xauth-generic dhcp
Virtual IP pools (size/online/offline):
**.**.**.99: 1/1/0
**.**.**.98: 1/0/0
Listening IP addresses:
**.**.**.8
Connections:
S4-IKEv2-EAP: ***.ddns.net,0.0.0.0/0,::/0...%any IKEv2
S4-IKEv2-EAP: local: [***.ddns.net] uses public key authentication
S4-IKEv2-EAP: cert: "C=DE, O=***, CN=***.ddns.net"
S4-IKEv2-EAP: remote: [mys4] uses EAP_MD5 authentication
S4-IKEv2-EAP: child: **.**.**.0/24 === dynamic TUNNEL
Windows7-RSA-Cert: ***.ddns.net,0.0.0.0/0,::/0...%any IKEv2
Windows7-RSA-Cert: local: [***.ddns.net] uses public key authentication
Windows7-RSA-Cert: cert: "C=DE, O=***, CN=***.ddns.net"
Windows7-RSA-Cert: remote: uses EAP_TLS authentication with EAP identity '%any'
Windows7-RSA-Cert: child: **.**.**.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
S4-IKEv2-EAP[7]: ESTABLISHED 82 seconds ago, **.**.**.8[***.ddns.net]...**.**.119.117[mys4]
S4-IKEv2-EAP[7]: IKEv2 SPIs: 64f15a37b081a84a_i 25f0661ea49bbc51_r*, public key reauthentication in 2 hours
S4-IKEv2-EAP[7]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
S4-IKEv2-EAP{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 751d144c_i 8019b7f7_o
S4-IKEv2-EAP{2}: AES_CBC_128/HMAC_SHA2_256_128, 19414 bytes_i (275 pkts, 0s ago), 10792 bytes_o (85 pkts, 0s ago), rekeying in 45 minutes
S4-IKEv2-EAP{2}: **.**.**.0/24 === **.**.178.99/32
Tags vpn ipsec strongswan