[Swan] Can't route back down ipsec tunnel from VPS

Paul Wouters paul at nohats.ca
Fri Jan 2 20:57:35 EET 2015


On Wed, 3 Dec 2014, Darren Share wrote:

late reply, message was lost in the inbox.....

> FYI, I have also posted this on Server Fault. I am trying to establish an ipsec VPN from a Draytek router on the edge of our corporate
> network to a VPS on Digital Ocean. I've set up the VPN on the VPS using this script -
> https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn - on an Ubuntu 14.04 machine. I believe the script downloads and installs

That seems to be for L2TP/IPsec, not plain IPsec.

> conn vpnpsk
>  connaddrfamily=ipv4
>  auto=add
>  left=178.62.73.215
> #  leftid=178.62.73.215
> #  leftsubnet=178.62.73.215/32
>  leftsubnet=10.10.10.0/24
> #  leftnexthop=%defaultroute
>  leftnexthop=%direct
>  leftprotoport=17/1701
>  rightprotoport=17/%any
> #  right=%any
>  right=10.111.1.0/24
>  rightsourceip=10.111.1.1
>  leftsourceip=10.10.10.1
> #  rightsubnetwithin=0.0.0.0/0

You seem to mean to build a net-to-net from 10.10.10.0/24 to 10.111.1.0/24 ?

Your "right" should be the actual public IP of the server on that end,
of if responding only (because the other end is behind NAT) %any.
rightsubnet= should contain 10.111.1.0/24 instead.

You should NOT configure left/rightprotoport because that's for
transport mode host-to-host L2TP/IPsec only!

You should also not need leftnexthop=%direct or rightsourceip=10.111.1.1


>  forceencaps=yes
>  authby=secret
>  pfs=no

better to do pfs=yes if possible.

>  type=transport

and you will need type=tunnel

Paul


More information about the Swan mailing list