[Swan] Can't route back down ipsec tunnel from VPS
Paul Wouters
paul at nohats.ca
Fri Jan 2 20:57:35 EET 2015
On Wed, 3 Dec 2014, Darren Share wrote:
late reply, message was lost in the inbox.....
> FYI, I have also posted this on Server Fault. I am trying to establish an ipsec VPN from a Draytek router on the edge of our corporate
> network to a VPS on Digital Ocean. I've set up the VPN on the VPS using this script -
> https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn - on an Ubuntu 14.04 machine. I believe the script downloads and installs
That seems to be for L2TP/IPsec, not plain IPsec.
> conn vpnpsk
> connaddrfamily=ipv4
> auto=add
> left=178.62.73.215
> # leftid=178.62.73.215
> # leftsubnet=178.62.73.215/32
> leftsubnet=10.10.10.0/24
> # leftnexthop=%defaultroute
> leftnexthop=%direct
> leftprotoport=17/1701
> rightprotoport=17/%any
> # right=%any
> right=10.111.1.0/24
> rightsourceip=10.111.1.1
> leftsourceip=10.10.10.1
> # rightsubnetwithin=0.0.0.0/0
You seem to mean to build a net-to-net from 10.10.10.0/24 to 10.111.1.0/24 ?
Your "right" should be the actual public IP of the server on that end,
of if responding only (because the other end is behind NAT) %any.
rightsubnet= should contain 10.111.1.0/24 instead.
You should NOT configure left/rightprotoport because that's for
transport mode host-to-host L2TP/IPsec only!
You should also not need leftnexthop=%direct or rightsourceip=10.111.1.1
> forceencaps=yes
> authby=secret
> pfs=no
better to do pfs=yes if possible.
> type=transport
and you will need type=tunnel
Paul
More information about the Swan
mailing list