I have a StrongSwan VPN server running Ubuntu 16.04.5 LTS. The public IP is 51.x.x.x. The site-to-site configuration between my StrongSwan VPN server and the other VPN server, which is an ASA cisco firewall with public IP 18.104.22.168, is working properly.
Once the tunnel is enabled, I could ping and telnet to the 22.214.171.124 private server behind the Cisco ASA firewall. The 126.96.36.199 server is not accessible through open Internet access except through the VPN tunnel. Note that the IP address is a public IP address.
I've configured this strongswan VPN server for it to act as a bridge between my private 192.168.0.0/16 network and the cisco ASA firewall (my Strongswan vpn server private IP is 192.168.0.8). That is, I want to be able to ping or telnet in 188.8.131.52 from 192.168.0.13, via the Strongswan VPN server, acting as a router.
My VPN server has two NICS: Ens18 that carries a public IP address and Ens19 with a private IP address.
I've defined two areas on my VPN server: public and internal areas. I've assigned a public interface to a public zone and a private interface to an inner zone
I managed to execute this command on the packet transmission but I do not see its sudo effect firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o ens18 -j MASQUERADE -s 192.168.0.0/23 -d 184.108.40.206
When I try to ping 220.127.116.11, it fails. 100% packet loss.
Here are my configurations on the Strongswan VPN server:
sore @ ubuntu-vpnserver: ~ $ firewall-cmd sudo –list-all –zone = public [sudo] password for sore: public (default, active) interfaces: ens18 sources: services: dhcpv6-client ports ssh ipsec: 4500 / udp 500 / protocols udp: masquerade: yes following ports: port = 4500: proto = udp: toport = 443: toaddr = 18.104.22.168 port = 500: proto = udp: toport = 443: toaddr = 22.214.171.124 port = 4500: proto = udp: toport = 443: toaddr = 192.168.0.13 port = 500: proto = udp: toport = 443: toaddr = 192.168.0.13 icmp blocks: rich rules: rule protocol value = "ah" accept rule protocol value = "esp" accept
Here is my file / etc / network / interfaces
auto ens18 iface ens18 inet static address 51.xxx net mask 255.255.255.255 broadcast 51.xxx post-up route add 54.36.12x.x dev ens18 post-up route add default gw 54.36.12x.x pre-descent road del 54.36.12x .x dev ens18 pre-down route of default gw 56.36.12x.x DNS name servers 213.186.xx
auto ens19 iface ens19 inet static address 192.168.0.8 net mask 255.255.254.0 getway 192.168.0.1