Site-to-site IPSec routing (Ubuntu, StrongSwan)

ubuntu routing strongswan site-to-site-vpn

We have used tcpdump to examine traffic in and out of the two firewall nodes. I note in passing that tcpdump with {Open,Libre,Strong}S/WAN in a modern kernel can be a bit problematic, because on the interface out of which the encrypted traffic comes and goes one sees the plaintext traffic only when it leaves and not when it arrives.

Nevertheless, using tcpdump to follow the flow, we have established that the ICMP echo-requests are getting all the way from network A to network B, and responses are getting as far back as serverA (the network A OpenVPN server / IPSec tunnel collapse point), but they are not passing through it to the OpenVPN client.

Since the traffic is being forwarded outbound, there is no general problem with traffic forwarding, and thus we suspect firewall rules. You have added a rule to permit the forwarding of traffic from the external network to the OpenVPN tun0 interface, and complete connectivity has resulted.

You might wish to refine that rule slightly, eg to have it explicitly apply to traffic that arrived via an IPSec connection

iptables -A FORWARD -i eth0 -o tun0 -m policy --pol ipsec --dir in -j ACCEPT

or perhaps to make it statefully-aware, but those are refinements and are up to you.

Related

"Sysprep" for Linux after cloning VMs?
Docker startup time
Difference Between Amazon S3 Select and Amazon Redshift Spectrum
inconsistent `apt-get update` behaviour on official Ubuntu AWS AMI
How to easily share local partitions between multiple computers
syslog: kernel: [ 1241.147934] TCP: ens192: Driver has suspect GRO implementation, TCP performance may be compromised
Why does mdadm --zero-superblock preserve file system information?
How to view ECDSA host key of a server?
Closing All Shared Files on the Network [duplicate]
cURL and Azure BLOB with SAS - HTTP header that's mandatory for this request is not specified
Haproxy TLS configuration
How do I implement SSL on a private IP?