Robert, Make sure you have ip_forward turned on net.ipv4.ip_forward = 1
and masquarade the IP address /sbin/iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE then you need to make sure that anything that goes down the internal interface, comes back that way.. See if you can make sense of the following which is my config. eth0 is public facing, eth1 is internal facing cat <<EOF >> /etc/network/interfaces.d/50-cloud-init.cfg auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet dhcp metric 100 EOF ifup eth1 SN1="$(ip r | awk '/eth1/ { print $1 }' | tail -n 1)" # internal subnet IP1="$(ip r | awk '/eth1/ { print $NF }' | tail -n 1)" # internal ip GW1="$(echo ${SN1} | cut -d'/' -f1 | cut -d'.' -f1-3).1" # internal gateway echo 200 eth1 >> /etc/iproute2/rt_tables cat <<EOF >> /etc/network/interfaces.d/50-cloud-init.cfg post-up /sbin/ip rule add from ${IP1} table eth1 pre-down /sbin/ip rule delete from ${IP1} table eth1 post-up /sbin/ip route add default via ${GW1} table eth1 pre-down /sbin/ip route delete default via ${GW1} table eth1 post-up /sbin/ip route add ${REMOTECIDR} via ${GW1} pre-down /sbin/ip route delete ${REMOTECIDR} via ${GW1} post-up /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE pre-down /sbin/iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE EOF ifdown eth1; ifup eth1 cat <<EOF > /etc/sysctl.d/60-strongswan.conf net.ipv4.ip_forward = 1 EOF sysctl -p /etc/sysctl.d/60-strongswan.conf Kind regards, Christian Salway IT Consultant - Naimuri T: +44 7463 331432 E: christian.sal...@naimuri.com A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW > On 20 Aug 2018, at 22:23, Robert Green <robert.gr...@wegolook.com> wrote: > > Hello All, > > I may be doing something that isn't going to work easily. I am trying to > setup strongswan on a separate system than is on my firewall/router. This > separate system is also directly connected to the public internet. This is to > support a road warrior setup. > > I currently have the windows 10 client connecting via certificates. However > when I connect the client I can not get traffic beyond the VPN box. I can > ping the internal interface but I can not ping into the network or external > clients. > > I see the routes in the table 220 but they don't look right to me. I do have > the firewall rules turned on the config and those look to be populating > correctly. > > /etc/ipsec.conf > config setup > # strictcrlpolicy=yes > # uniqueids = no > charondebug="cfg 2, dmn 2, ike 2, net 2" > > conn remote-users > fragmentation=yes > ike=aes256-sha1-modp1024,3des-sha1-modp1024! > esp=aes256-sha1,3des-sha1! > left=%any > #leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> > leftsubnet=192.168.0.0/16 <http://192.168.0.0/16> > leftcert=server_cert.pem > leftfirewall=yes > right=%any > rightdns=1.1.1.1, 8.8.8.8 > rightsourceip=192.168.18.2-192.168.18.254 > keyexchange=ikev2 > #auto=add > auto=route > > ip route show table 220 > > 192.168.18.2 via 12.12.12.1 dev enp0s25 proto static src 192.168.1.198 > > My interfaces are: > enp0s25 -> 12.12.12.1 (public interface) > enp3s0 -> 192.168.1.198 (internal interface) > > Primary gateway 192.168.0.1 (netmask /23) > > This all has been sanitized. I have been beating my head against the wall on > this one. I know this is a routing issue but not sure how to properly fix it. > > Thank you, > -- > Robert Green >