Hello Quân, Please provide the outputs of all commands as shown on the HelpRequests[1] page.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 11.02.20 um 11:15 schrieb Nguyễn Hồng Quân: > Hi, I'm trying to learn StrongSwan > > I have two VPS, quan.hoabinh.vn <http://quan.hoabinh.vn> (103.92.28.225) and > parking.nanochip.io <http://parking.nanochip.io> (104.248.153.183) where I > want to establish a site-to-site tunnel like this diagram: > > 192.168.12.0/24 <http://192.168.12.0/24> -- | 103.92.28.225 | === | > 104.248.153.183 | -- 192.168.18.0/24 <http://192.168.18.0/24> > moon-net moon sun sun-net > > Under each server is a LAN network built by WireGuard (192.168.12.0/24 > <http://192.168.12.0/24> and 192.168.18.0/24 <http://192.168.18.0/24>). > > This is the config on Moon server: > > # File: /etc/swanctl/conf.d/moon.conf > connections { > net-net { > remote_addrs = 104.248.153.183 > local { > auth = pubkey > certs = fullchain.pem > } > remote { > auth = pubkey > } > children { > net-net { > local_ts = 192.168.12.0/24 > <http://192.168.12.0/24> > remote_ts = 192.168.18.0/24 > <http://192.168.18.0/24> > updown = /usr/lib/ipsec/_updown iptables > start_action = trap > } > } > } > } > > And config on Sun server: > > # File: /etc/swanctl/conf.d/sun.conf > connections { > net-net { > remote_addrs = 103.92.28.225 > local { > auth = pubkey > certs = fullchain.pem > } > remote { > auth = pubkey > } > children { > net-net { > local_ts = 192.168.18.0/24 > <http://192.168.18.0/24> > remote_ts = 192.168.12.0/24 > <http://192.168.12.0/24> > updown = /usr/lib/ipsec/_updown iptables > start_action = trap > } > } > } > } > The certificates are supplied by Let's Encrypt SSL. > > The tunnel seems to be established successfully, but from Moon server, I > cannot ping 192.168.18.1, which is Sun's IP address in WireGuard VPN (no > response). > > This is the log, observed on Sun server (target of ping): > > https://paste.ubuntu.com/p/j7HBMh2r8Y/ > > iptables rules on Moon server: > > $ sudo iptables -S -t nat > [sudo] password for quan: > -P PREROUTING ACCEPT > -P INPUT ACCEPT > -P OUTPUT ACCEPT > -P POSTROUTING ACCEPT > -A POSTROUTING -o ens18 -j MASQUERADE > > $ sudo iptables -S > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -A FORWARD -s 192.168.18.0/24 <http://192.168.18.0/24> -d 192.168.12.0/24 > <http://192.168.12.0/24> -i ens18 -m policy --dir in --pol ipsec --reqid 1 > --proto esp -j ACCEPT > -A FORWARD -s 192.168.12.0/24 <http://192.168.12.0/24> -d 192.168.18.0/24 > <http://192.168.18.0/24> -o ens18 -m policy --dir out --pol ipsec --reqid 1 > --proto esp -j ACCEPT > -A FORWARD -i wg0 -j ACCEPT > Please help to make ping work. > > > -- > Quân > > Nguyễn Hồng Quân > ☎ 093 9030 338 > Facebook: ng.hong.quan > 🌏 quan.hoabinh.vn <http://quan.hoabinh.vn> agriconnect.vn > <http://agriconnect.vn> >
signature.asc
Description: OpenPGP digital signature
