Problema para configurar o strongSwan em uma nova máquina? [fechadas]

1

Estou tentando migrar meu servidor VPN strongSwan para uma nova máquina, mas isso não funciona.

Meu endereço IP público é dinâmico e eu uso o DDNS para acessar minha rede doméstica de fora. Quando estabeleço uma conexão VPN, somente o servidor e o cliente podem se ver. Não consigo acessar meu servidor a partir da rede local, mas apenas do cliente VPN.

Meus arquivos de configuração

ipsec.conf :

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
    compress = yes
    fragmentation = yes
    left = ******.ddns.net
    leftallowany = yes
    leftauth = pubkey
    leftcert = vpnHostCert.pem
    leftsendcert = ifasked
    leftsubnet = **.**.**.0/24
    right = %any

conn S4-IKEv2-EAP
    rightauth = eap-md5
    rightid = mys4
    rightsourceip = **.**.**.99
    keyexchange = ikev2
    auto = add

conn Windows7-RSA-Cert
    rightauth = eap-tls
    rightsendcert = never
    rightsourceip = **.**.**.98
    eap_identity = %any
    keyexchange = ikev2
    auto = add

ipsec.secrets :

: RSA vpnHostKey.pem
: PSK xxxxx
mys4 : EAP xxxxx

strongswan.conf :

charon {
    load_modular = no
    dns1 = **.**.**.1

    plugins {
        *lots of plugins loaded*
    }
}

ipsec statusall :

Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-32-generic, x86_64):
  uptime: 9 minutes, since Aug 19 14:05:50 2018
  malloc: sbrk 2703360, mmap 0, used 608784, free 2094576
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon aes sha2 sha1 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pem gmp curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-dynamic eap-tls eap-peap xauth-generic dhcp
Virtual IP pools (size/online/offline):
  **.**.**.99: 1/1/0
  **.**.**.98: 1/0/0
Listening IP addresses:
  **.**.**.8
Connections:
S4-IKEv2-EAP:  ***.ddns.net,0.0.0.0/0,::/0...%any  IKEv2
S4-IKEv2-EAP:   local:  [***.ddns.net] uses public key authentication
S4-IKEv2-EAP:    cert:  "C=DE, O=***, CN=***.ddns.net"
S4-IKEv2-EAP:   remote: [mys4] uses EAP_MD5 authentication
S4-IKEv2-EAP:   child:  **.**.**.0/24 === dynamic TUNNEL
Windows7-RSA-Cert:  ***.ddns.net,0.0.0.0/0,::/0...%any  IKEv2
Windows7-RSA-Cert:   local:  [***.ddns.net] uses public key authentication
Windows7-RSA-Cert:    cert:  "C=DE, O=***, CN=***.ddns.net"
Windows7-RSA-Cert:   remote: uses EAP_TLS authentication with EAP identity '%any'
Windows7-RSA-Cert:   child:  **.**.**.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
S4-IKEv2-EAP[7]: ESTABLISHED 82 seconds ago, **.**.**.8[***.ddns.net]...**.**.119.117[mys4]
S4-IKEv2-EAP[7]: IKEv2 SPIs: 64f15a37b081a84a_i 25f0661ea49bbc51_r*, public key reauthentication in 2 hours
S4-IKEv2-EAP[7]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
S4-IKEv2-EAP{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 751d144c_i 8019b7f7_o
S4-IKEv2-EAP{2}:  AES_CBC_128/HMAC_SHA2_256_128, 19414 bytes_i (275 pkts, 0s ago), 10792 bytes_o (85 pkts, 0s ago), rekeying in 45 minutes
S4-IKEv2-EAP{2}:   **.**.**.0/24 === **.**.178.99/32
    
por Mario 19.08.2018 / 12:15

0 respostas