Site-to-site IPSec routing (Ubuntu, StrongSwan)
We have used tcpdump
to examine traffic in and out of the two firewall nodes. I note in passing that tcpdump
with {Open,Libre,Strong}S/WAN in a modern kernel can be a bit problematic, because on the interface out of which the encrypted traffic comes and goes one sees the plaintext traffic only when it leaves and not when it arrives.
Nevertheless, using tcpdump
to follow the flow, we have established that the ICMP echo-requests are getting all the way from network A to network B, and responses are getting as far back as serverA (the network A OpenVPN server / IPSec tunnel collapse point), but they are not passing through it to the OpenVPN client.
Since the traffic is being forwarded outbound, there is no general problem with traffic forwarding, and thus we suspect firewall rules. You have added a rule to permit the forwarding of traffic from the external network to the OpenVPN tun0
interface, and complete connectivity has resulted.
You might wish to refine that rule slightly, eg to have it explicitly apply to traffic that arrived via an IPSec connection
iptables -A FORWARD -i eth0 -o tun0 -m policy --pol ipsec --dir in -j ACCEPT
or perhaps to make it statefully-aware, but those are refinements and are up to you.