IPSEC with StrongSwan/swanctl to connect to home freebox IPSEC

Hi,

I'm trying to configure an IPSEC VPN client to connect to my home, using the IPSEC VPN of my provider's Freebox ... It works fine from android StrongSwan and windows on the same wifi network, but I would like to configure a travel router, a GL-MT3000, with vanilla OpenWRT 23.05.3.
I've installed strongswan-full (and ip-full, luci-proto-xfrm to help).

It can connect perfectly using IKEv2/EAP/MSCHAPv2+pubkey, but no data is tunneled. 0 bytes in and out, tells me the VPN server on my box, while it says authenticated IKEv2.
Traces show no problem.
Tunneling through UDP/4500 for NAT-T seems OK.. UDP500 works well.

The travel router LAN is 192.168.1.0/24
The WAN is 192.168.10.0/24 (it can change, eg on USB tethering)
the freebox is 1.2.3.4 (IP changed)
it's internal home network is 192.168.0.0/24
and it should relay, both access to the internal network and to full internet.
The IPSEC server on the freebox allocate an IP from a pool on 192.168.27.0/24 and my user is associated with 192.168.27.65...

I've tried to configure all as classical as possible, but it does not work.
I had to add a passthrough-lan child in StrongSwan to avoid my LAN to be unreachable when I start the 'home' child...
I tried many things like XFRM interface but I could not make it work,
Routing table 220 seems as expected, but nothing is tunneled. 2 XFRM links are created...
I've tried to open firewall as large as possible, but nothing improved, and firewall trace show nothing.

I have surely missed something. I've look at many posts and documentation everywhere, but it seems that swanctl on openwrt is quite recent...
Maybe XFRM or playing with ipsec.user script could help, but I don't understand how it works.

here is the swanctl config

/etc/swanctl/conf.d/home.conf

connections {
home {
remote_addrs = thefreebox.freeboxos.fr
#if_id_in=101
#if_id_out=101
encap=yes
proposals = default
vips = 0.0.0.0
local {
auth = eap
eap_id = alain.co
}
remote {
auth = pubkey
id = thefreebox.freeboxos.fr
certs = thefreebox-freeboxos-fr.pem
cacerts=r3-chain.pem
}
children {
home {
local_ts = dynamic
remote_ts = 0.0.0.0/0
mode = tunnel
esp_proposals=default
start_action = none
close_action = none
}
}
}
passthrough-lan {
remote_addrs = 127.0.0.1
children {
passthrough-lan {
local_ts = 192.168.1.0/24,fd03:ca54:c745::/64
remote_ts = 192.168.1.0/24,fd03:ca54:c745::/64
mode = pass
start_action = trap
}
}
}

}
secrets {
eap-alain-co {
id=alain.co
secret=XXX
}
}

  • the file /etc/ipsec.user is empty as by default.Maybe it's the key ?
  • I have disabled ipsec service as it prevented swanctl service to start and swanctl --initiate to work. Is it normal ?

Here are the states of ip addr, route, rule, xfrm:

ip addr, route, rule, xfrm

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:49:0f:d2 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 94:83:c4:49:0f:d3 brd ff:ff:ff:ff:ff:ff
5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 94:83:c4:49:0f:d2 brd ff:ff:ff:ff:ff:ff
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:49:0f:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd03:ca54:c745::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::9683:c4ff:fe49:fd3/64 scope link
valid_lft forever preferred_lft forever
7: phy0-sta0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:49:0f:d4 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.250/24 brd 192.168.10.255 scope global phy0-sta0
valid_lft forever preferred_lft forever
inet 192.168.27.65/32 scope global phy0-sta0
valid_lft forever preferred_lft forever
inet6 fd17:b4b5:1c96:0:9683:c4ff:fe49:fd4/64 scope global dynamic noprefixroute
valid_lft 43127sec preferred_lft 227sec
inet6 fe80::9683:c4ff:fe49:fd4/64 scope link
valid_lft forever preferred_lft forever

ip xfrm state list
src 192.168.10.250 dst 1.2.3.4
proto esp spi 0xc4dda98a reqid 1 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha256) 0x6e2ff4b9ba1424d14c62cb668ac3b7e504246bfdd314ef1a1516a23c61805c7b 128
enc cbc(aes) 0x701da05c8d55aea64d3f6294992296e8
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 1.2.3.4 dst 192.168.10.250
proto esp spi 0xcbfbbd74 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256) 0x36d462ac883340db21d0d771d8e8ec52213711e5f6e91143aa5c583d5729ed69 128
enc cbc(aes) 0x760e7545c212ec82b8a0b1aac4d99992
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

ip xfrm policy
src 192.168.27.65/32 dst 0.0.0.0/0
dir out priority 383615
tmpl src 192.168.10.250 dst 1.2.3.4
proto esp spi 0xc4dda98a reqid 1 mode tunnel
src 0.0.0.0/0 dst 192.168.27.65/32
dir fwd priority 383615
tmpl src 1.2.3.4 dst 192.168.10.250
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 192.168.27.65/32
dir in priority 383615
tmpl src 1.2.3.4 dst 192.168.10.250
proto esp reqid 1 mode tunnel
src fd03:ca54:c745::/64 dst fd03:ca54:c745::/64
dir fwd priority 134463
src fd03:ca54:c745::/64 dst fd03:ca54:c745::/64
dir in priority 134463
src fd03:ca54:c745::/64 dst fd03:ca54:c745::/64
dir out priority 134463
src 192.168.1.0/24 dst 192.168.1.0/24
dir fwd priority 175423
src 192.168.1.0/24 dst 192.168.1.0/24
dir in priority 175423
src 192.168.1.0/24 dst 192.168.1.0/24
dir out priority 175423
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0

ip route show table 220
default via 192.168.10.1 dev phy0-sta0 proto static src 192.168.27.65
throw 192.168.1.0/24 proto static

ip route show table main
default via 192.168.10.1 dev phy0-sta0 proto static src 192.168.10.250 metric 100
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev phy0-sta0 proto static scope link metric 100

ip route show table local
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.1.1 dev br-lan proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan proto kernel scope link src 192.168.1.1
local 192.168.10.250 dev phy0-sta0 proto kernel scope host src 192.168.10.250
broadcast 192.168.10.255 dev phy0-sta0 proto kernel scope link src 192.168.10.250
local 192.168.27.65 dev phy0-sta0 proto kernel scope host src 192.168.27.65

ip route show default
default via 192.168.10.1 dev phy0-sta0 proto static src 192.168.10.250 metric 100

ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default

here are the network, wireless, firewall config...

network, wireless, firewall config

== /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd03:ca54:c745::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
list ip6class 'local'

config interface 'wan'
option device 'phy0-sta0'
option proto 'dhcp'
option metric '100'
option type 'bridge'

config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option sourcefilter '0'
option type 'bridge'

== /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wifi'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'FR'

config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'sta'
option ssid 'XXXGUEST'
option encryption 'psk2'
option key 'ZZZ'
option ifname 'phy0-sta0'
option network 'wan wan6'

== /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option log '1'
option log_limit '10/minute'
list network 'lan'

config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
option masq6 '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESPAH'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
list proto 'esp'
list proto 'ah'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Allow-IPSEX-ESPAH-Input'
option src 'wan'
option target 'ACCEPT'
list proto 'esp'
list proto 'ah'

config rule
option name 'Allow-ISAKMP-Input'
list proto 'udp'
option dest_port '500'
option target 'ACCEPT'
option src 'wan'

Here are some traces. as you can see it seems to work like a charm, but no data is tunneled.

logs

Boot logs==

Wed May 8 09:07:02 2024 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.11, Linux 5.15.150, aarch64)
Wed May 8 09:07:02 2024 daemon.info ipsec: 00[LIB] plugin 'eap-dynamic': failed to load - eap_dynamic_plugin_create not found and no plugin file available
Wed May 8 09:07:02 2024 daemon.info ipsec: 00[CFG] PKCS11 module '' lacks library path
Wed May 8 09:07:03 2024 daemon.info ipsec: 00[LIB] providers loaded by OpenSSL: default
Wed May 8 09:07:03 2024 daemon.info ipsec: 00[LIB] plugin 'wolfssl' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-wolfssl.so: wolfssl_ec_diffie_hellman_create: symbol not found
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[LIB] plugin 'gmpdh': failed to load - gmpdh_plugin_create not found and no plugin file available
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] disabling load-tester plugin, not configured
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] install DNS servers in '/etc/resolv.conf'
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] attr-sql plugin: database URI not set
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[NET] using forecast interface br-lan
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] expanding file expression '/var/ipsec/ipsec.secrets' failed
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] sql plugin: database URI not set
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] loaded 0 RADIUS server configurations
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] HA config misses local/remote address
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[CFG] coupling file path unspecified
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[JOB] spawning 16 worker threads
Wed May 8 09:07:04 2024 daemon.info ipsec: 00[DMN] executing start script 'load-all' (/usr/sbin/swanctl --load-all --noprompt)
Wed May 8 09:07:05 2024 daemon.info ipsec: 15[CFG] loaded certificate 'CN=thefreebox.freeboxos.fr'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: loaded certificate from '/etc/swanctl/x509/thefreebox-freeboxos-fr.pem'
Wed May 8 09:07:05 2024 daemon.info ipsec: 06[CFG] loaded certificate 'C=US, O=Let's Encrypt, CN=R3'
Wed May 8 09:07:05 2024 daemon.info ipsec: 12[CFG] loaded certificate 'C=US, O=Internet Security Research Group, CN=ISRG Root X1'
Wed May 8 09:07:05 2024 daemon.info ipsec: 15[CFG] loaded certificate 'C=US, O=Let's Encrypt, CN=R3'
Wed May 8 09:07:05 2024 daemon.info ipsec: 03[CFG] loaded EAP shared key with id 'eap-alain-co' for: 'alain.co'
Wed May 8 09:07:05 2024 daemon.info ipsec: 12[CFG] added vici connection: home
Wed May 8 09:07:05 2024 daemon.info ipsec: 09[CFG] added vici connection: passthrough-lan
Wed May 8 09:07:05 2024 daemon.info ipsec: 09[CFG] installing 'passthrough-lan'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: loaded certificate from '/etc/swanctl/x509ca/r3-chain.pem'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: loaded certificate from '/etc/swanctl/x509ca/root.pem'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: loaded certificate from '/etc/swanctl/x509ca/r3.pem'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: loaded eap secret 'eap-alain-co'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: no authorities found, 0 unloaded
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: no pools found, 0 unloaded
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: loaded connection 'home'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: loaded connection 'passthrough-lan'
Wed May 8 09:07:05 2024 daemon.info ipsec: 00[DMN] load-all: successfully loaded 2 connections, 0 unloaded
Wed May 8 09:07:05 2024 daemon.info ipsec: 12[KNL] 192.168.10.250 appeared on phy0-sta0
Wed May 8 09:07:05 2024 daemon.info ipsec: 09[NET] using forecast interface br-lan
Wed May 8 09:07:05 2024 daemon.info ipsec: 09[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Wed May 8 09:07:06 2024 daemon.info ipsec: 07[KNL] flags changed for fd03:ca54:c745::1 on br-lan
Wed May 8 09:07:06 2024 daemon.info ipsec: 03[NET] using forecast interface br-lan
Wed May 8 09:07:06 2024 daemon.info ipsec: 03[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Wed May 8 09:07:06 2024 daemon.info ipsec: 03[KNL] fe80::9683:c4ff:fe49:fd3 appeared on br-lan
Wed May 8 09:07:06 2024 daemon.info ipsec: 13[NET] using forecast interface br-lan
Wed May 8 09:07:06 2024 daemon.info ipsec: 13[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Wed May 8 09:07:06 2024 daemon.info ipsec: 03[KNL] fe80::9683:c4ff:fe49:fd4 appeared on phy0-sta0
Wed May 8 09:07:07 2024 daemon.info ipsec: 10[NET] using forecast interface br-lan
Wed May 8 09:07:07 2024 daemon.info ipsec: 10[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250

== start log
swanctl --initiate --child home
Wed May 8 09:10:00 2024 daemon.info ipsec: 13[CFG] vici initiate CHILD_SA 'home'
Wed May 8 09:10:00 2024 daemon.info ipsec: 12[IKE] initiating IKE_SA home[1] to 1.2.3.4
Wed May 8 09:10:01 2024 daemon.info ipsec: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 12[NET] sending packet: from 192.168.10.250[500] to 1.2.3.4[500] (1144 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[NET] received packet: from 1.2.3.4[500] to 192.168.10.250[500] (280 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[IKE] local host is behind NAT, sending keep alives
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[IKE] remote host is behind NAT
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=R3"
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[CFG] no IDi configured, fall back on IP address
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[IKE] establishing CHILD_SA home{1}
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[NET] sending packet: from 192.168.10.250[4500] to 1.2.3.4[4500] (432 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 12[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (1236 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 12[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 12[ENC] received fragment #1 of 3, waiting for complete IKE message
Wed May 8 09:10:01 2024 daemon.info ipsec: 08[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (1236 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 08[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 08[ENC] received fragment #2 of 3, waiting for complete IKE message
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (644 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2976 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[IKE] received end entity cert "CN=thefreebox.freeboxos.fr"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=R3"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] using trusted certificate "CN=thefreebox.freeboxos.fr"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] certificate policy 2.23.140.1.2.1 for 'CN=thefreebox.freeboxos.fr' not allowed by trustchain, ignored
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] reached self-signed root ca with a path length of 1
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] checking certificate status of "CN=thefreebox.freeboxos.fr"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] requesting ocsp status from 'http://r3.o.lencr.org' ...
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] ocsp response is valid: until May 13 18:44:58 2024
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] certificate status is good
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] checking certificate status of "C=US, O=Let's Encrypt, CN=R3"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] fetching crl from 'http://x1.c.lencr.org/' ...
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] crl is valid: until Jan 05 00:59:59 2025
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[CFG] certificate status is good
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[IKE] authentication of 'thefreebox.freeboxos.fr' with RSA_EMSA_PKCS1_SHA2_256 successful
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[IKE] server requested EAP_IDENTITY (id 0x00), sending 'alain.co'
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[NET] sending packet: from 192.168.10.250[4500] to 1.2.3.4[4500] (96 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 03[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (112 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 03[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 03[IKE] server requested EAP_MSCHAPV2 authentication (id 0x4C)
Wed May 8 09:10:01 2024 daemon.info ipsec: 03[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 03[NET] sending packet: from 192.168.10.250[4500] to 1.2.3.4[4500] (144 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (144 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 14[NET] sending packet: from 192.168.10.250[4500] to 1.2.3.4[4500] (80 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (80 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[IKE] authentication of '192.168.10.250' (myself) with EAP
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[ENC] generating IKE_AUTH request 5 [ AUTH ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 11[NET] sending packet: from 192.168.10.250[4500] to 1.2.3.4[4500] (112 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (368 bytes)
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS MASK) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] authentication of 'thefreebox.freeboxos.fr' with EAP successful
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] installing DNS server 212.27.38.253 to /etc/resolv.conf
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[CFG] handling INTERNAL_IP4_NETMASK attribute failed
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] installing new virtual IP 192.168.27.65
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] peer supports MOBIKE
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] IKE_SA home[1] established between 192.168.10.250[192.168.10.250]...1.2.3.4[thefreebox.freeboxos.fr]
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] scheduling rekeying in 13281s
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] maximum IKE_SA lifetime 14721s
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Wed May 8 09:10:01 2024 daemon.info ipsec: 15[IKE] CHILD_SA home{1} established with SPIs c74bb8b9_i cb522c71_o and TS 192.168.27.65/32 === 0.0.0.0/0

== and then regular keepalive
Wed May 8 09:10:31 2024 daemon.info ipsec: 03[NET] received packet: from 1.2.3.4[4500] to 192.168.10.250[4500] (80 bytes)
Wed May 8 09:10:31 2024 daemon.info ipsec: 03[ENC] parsed INFORMATIONAL request 0
Wed May 8 09:10:31 2024 daemon.info ipsec: 03[ENC] generating INFORMATIONAL response 0
Wed May 8 09:10:31 2024 daemon.info ipsec: 03[NET] sending packet: from 192.168.10.250[4500] to 1.2.3.4[4500] (80 bytes)

I have a direction, it seems to be because of NAT/Masquerading, but I cannot make something that works.

Initially, WAN was configured with masquerading/NAT.
I have added

  • a rule to NAT the traffic toward the IPSEC public address 1.2.3.4,
  • a rule to NAT the traffic from the LAN 192.168.1.0/24
  • a rule not to NAT the rest of the traffic (I don't understand what it can be)
firewall

config nat
option name 'NAT-IPSECSERVER'
list proto 'all'
option src 'wan'
option dest_ip '1.2.3.4'
option target 'MASQUERADE'

config nat
option name 'NAT-LAN'
list proto 'all'
option src 'wan'
option src_ip '192.168.1.0/24'
option target 'MASQUERADE'

config nat
option name 'NONAT-TUNNELED'
list proto 'all'
option src 'wan'
option target 'ACCEPT'

the result is that from the router the traceroute is visibly tunneled : it works !

WAN 192.168.10.250===192.168.27.65>IPSEC TUNNEL===192.168.0.254NAT2===INTERNET

However, from the Windows LAN client, the TRACERT is just routed straight to the WAN&beyond.
192.168.1.100 === LAN 192.168.1.1 >NAT>WAN 192.168.10.250===INTERNET

I've tried not to NAT the LAN traffic. It still work from the router itself, but the traffic is not routed at all from the LAN, neither via the WAN, nor via the VPN.
192.168.1.100 === LAN 192.168.1.1 >WAN 192.168.10.250==XXX===

I've look at many article, and there seems to be firewall rules to add via "x.nft" scripts, either via the updown script, or as firewal/config/include directive

but the problem is that I don't know what to do, because I don't understand the order of NAT and tunneling... provided that I need NAT from the LAN, or it cannot be routed back to the client.

I need the NAT from LAN to WAN, but at the same time I need the XFRM Ipsec policy to apply for tunneling... I missed a point.

EDIT: it's progressing.
First I've simply put NAT rules not to nat the trafic to and from the IPSEC VIP network (192.168.27.0/24)... Using netfilter rules with "ipsec" criteria worked too:

nft -a -e -j insert rule inet fw4 srcnat_wan ipsec out ip daddr 0.0.0.0/0  counter log prefix "Nwan_IPS_NONAT_" accept

Now the problem seems about routing or xfrm rules...

When I do a traceroute from ssh, by default it bind to the IPSEC VIP, and it goes through the VPN tunnel...

traceroute -s 192.168.27.65 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8) from 192.168.27.65, 30 hops max, 46 byte packets
 1  freeplayer.freebox.fr (212.27.38.253)  1.892 ms  1.249 ms
...

When I do a traceroute, from the WAN IP or the LAN IP, it passes straight to the WAN internet

 traceroute -s 192.168.10.250 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8) from 192.168.10.250, 30 hops max, 46 byte packets
 1  192.168.10.1 (192.168.10.1)  1.100 ms  0.967 ms  0.911 ms
 2  192.168.0.254 (192.168.0.254)  0.852 ms  0.994 ms  0.878 ms
traceroute -s 192.168.1.1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8) from 192.168.1.1, 30 hops max, 46 byte packets
 1  192.168.10.1 (192.168.10.1)  1.242 ms  0.914 ms  0.708 ms
 2  192.168.0.254 (192.168.0.254)  0.976 ms  1.011 ms  0.890 ms

I've not touched at routing tables(see previous)...
table 220 is:

default via 192.168.10.1 dev phy0-sta0 proto static src 192.168.27.65
throw 192.168.1.0/24 proto static

and main table is

default via 192.168.10.1 dev phy0-sta0 proto static src 192.168.10.250 metric 100
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev phy0-sta0 proto static scope link metric 100
192.168.27.0/24 dev phy0-sta0 proto kernel scope link src 192.168.27.1

I don't understand why the table 220 is working well with 192.168.27.65 source and not with the others ... in fact it's the same physical interface (the wan wlan client)

I've investigated much and it does not seem related to IP routing, but to IPSEC subtleties I don't understand :
The packets are well tunneled out, but not the least encrypted packets is sent back to my router, when the IP return address is not the IPSEC VIP.

EDIT: I have an idea, but I don't know how to do it... If as I suspect the server simply refuses to communivate with any other IP as it's VIP, there is no hope but in MASQUERADE

Is it possible to create a second masquerade table for the IPSEC VIP, beside the masquerade table for WAN ? (I need both)... Or is it juste possible to do DNAT and SNAT to transform any clear packet exchanged with IPSEC interface ? The problem is that the VIP is on the same device as the WAN... it's just an IP added to the WAN device.

I've followed some advices elsewhere, using XFRM interface via Luci, just to have more control.

	  if_id_in=0x1b
	  if_id_out=0x1b

I also used set_mark_out and set_mark_in in strongswan config so I can better filter the packets.

             set_mark_in = 0x040000/0x040000
             set_mark_out = 0x080000/0x080000

Because in that case, strongswan does not add the routing rules, I've added some (and also one for the VPN server itself, even if it may not be useful)
finally the ip route table 220 looks like that:

default dev ipsec0 scope link
1.2.3.4  via 192.168.10.1 dev phy0-sta0
throw 192.168.1.0/24 proto static

All of that does change nothing to the problem, but it works no worse, no better, and helped to debug.

I've used nft monitor trace
to trace the packets when testing ping to 8.8.8.8, and this was instructive.
What I see is that when I ping from the IPSEC VIP 192.168.27.65 it works if I disable NAT from that IP.
NAT was causing problem only because it masquerades the packets to use my WAN main interface 192.168.10.250, and no return packet is accepted to this address...
So NAT is not the subject here... the subject is that no packet is returned to the WAN interface 192.158.10.250, while it works to the IPSEC VIP 192.168.27.65 however on the same media (phy0-sta0) as the WAN.

Here is one exchange for a ping -I 192.168.27.65 8.8.8.8, from the IPSEC VIP
I see that the ICMP-request packet is mangled, then keeping the same id, converted in UDP:4500 to the IPSEC server, and immediately a packet is receivend back on UDP:4500 from the VPN server, and using another id, a clear packet is inputed and it's the ICMP reply.
It works.

trace for ping from IPSEC VIP

PING REQUEST 8.8.8.8 from VPN VIP

trace id 85a59ae1 inet fw4 trace_chain_output packet: oif "ipsec0" ip saddr 192.168.27.65 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 38566 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 85a59ae1 inet fw4 trace_chain_output rule ip daddr 8.8.8.8 meta nftrace set 1 (verdict continue)
trace id 85a59ae1 inet fw4 trace_chain_output rule icmp type { echo-reply, echo-request } meta nftrace set 1 (verdict continue)
trace id 85a59ae1 inet fw4 trace_chain_output verdict continue
trace id 85a59ae1 inet fw4 trace_chain_output policy accept
trace id 85a59ae1 inet fw4 raw_output packet: oif "ipsec0" ip saddr 192.168.27.65 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 38566 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 85a59ae1 inet fw4 raw_output verdict continue
trace id 85a59ae1 inet fw4 raw_output policy accept
trace id 85a59ae1 inet fw4 mangle_output packet: oif "ipsec0" ip saddr 192.168.27.65 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 38566 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 85a59ae1 inet fw4 mangle_output verdict continue
trace id 85a59ae1 inet fw4 mangle_output policy accept
trace id 85a59ae1 inet fw4 output packet: oif "ipsec0" ip saddr 192.168.27.65 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 38566 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 85a59ae1 inet fw4 output rule oifname { "ipsec0", "phy0-sta0" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" (verdict jump output_wan)
trace id 85a59ae1 inet fw4 output_wan rule jump accept_to_wan (verdict jump accept_to_wan)
trace id 85a59ae1 inet fw4 accept_to_wan rule oifname { "ipsec0", "phy0-sta0" } counter packets 8239 bytes 607537 accept comment "!fw4: accept wan IPv4/IPv6 traffic" (verdict accept)
trace id 85a59ae1 inet fw4 mangle_postrouting packet: oif "ipsec0" ip saddr 192.168.27.65 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 38566 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 85a59ae1 inet fw4 mangle_postrouting verdict continue
trace id 85a59ae1 inet fw4 mangle_postrouting policy accept
trace id 85a59ae1 inet fw4 srcnat packet: oif "ipsec0" ip saddr 192.168.27.65 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 38566 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 85a59ae1 inet fw4 srcnat rule oifname { "ipsec0", "phy0-sta0" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" (verdict jump srcnat_wan)
trace id 85a59ae1 inet fw4 srcnat_wan rule ip saddr 192.168.27.0/24 counter packets 1 bytes 84 accept comment "!fw4: NoNAT-From-VPN" (verdict accept)

TUNNEL TO VPN note: udp length 144

trace id 85a59ae1 inet fw4 trace_chain_output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509e7236bdef
trace id 85a59ae1 inet fw4 trace_chain_output rule ip daddr 1.2.3.4 udp dport 4500 meta nftrace set 1 (verdict continue)
trace id 85a59ae1 inet fw4 trace_chain_output rule meta mark & 0x00ff0000 != 0x00000000 meta nftrace set 1 (verdict continue)
trace id 85a59ae1 inet fw4 trace_chain_output rule udp dport 4500 meta nftrace set 1 (verdict continue)
trace id 85a59ae1 inet fw4 trace_chain_output rule udp sport 4500 meta nftrace set 1 (verdict continue)
trace id 85a59ae1 inet fw4 trace_chain_output verdict continue meta mark 0x00080000
trace id 85a59ae1 inet fw4 trace_chain_output policy accept meta mark 0x00080000
trace id 85a59ae1 inet fw4 raw_output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509e7236bdef
trace id 85a59ae1 inet fw4 raw_output verdict continue meta mark 0x00080000
trace id 85a59ae1 inet fw4 raw_output policy accept meta mark 0x00080000
trace id 85a59ae1 inet fw4 mangle_output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509e7236bdef
trace id 85a59ae1 inet fw4 mangle_output verdict continue meta mark 0x00080000
trace id 85a59ae1 inet fw4 mangle_output policy accept meta mark 0x00080000
trace id 85a59ae1 inet fw4 output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509e7236bdef
trace id 85a59ae1 inet fw4 output rule ct state established,related accept comment "!fw4: Allow outbound established and related flows" (verdict accept)
trace id 85a59ae1 inet fw4 mangle_postrouting packet: iif "phy0-sta0" oif "phy0-sta0" ether saddr fa:52:40:8d:01:11 ether daddr 11:8f:65:c0:a8:0a @ll,112,48 0x9400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509e7236bdef
trace id 85a59ae1 inet fw4 mangle_postrouting verdict continue meta mark 0x00080000
trace id 85a59ae1 inet fw4 mangle_postrouting policy accept meta mark 0x00080000

INPUT VPN ENCRYPTED note: udp length 144

trace id a28d72db inet fw4 trace_chain_prerouting packet: iif "phy0-sta0" ether saddr 94:a6:7e:b2:b5:eb ether daddr 94:83:c4:49:0f:d4 ip saddr 1.2.3.4 ip daddr 192.168.10.250 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 57564 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc0594c10000000021039ca61
trace id a28d72db inet fw4 trace_chain_prerouting rule ip saddr 1.2.3.4 udp sport 4500 meta nftrace set 1 (verdict continue)
trace id a28d72db inet fw4 trace_chain_prerouting rule udp dport 4500 meta nftrace set 1 (verdict continue)
trace id a28d72db inet fw4 trace_chain_prerouting rule udp sport 4500 meta nftrace set 1 (verdict continue)
trace id a28d72db inet fw4 trace_chain_prerouting verdict continue
trace id a28d72db inet fw4 trace_chain_prerouting policy accept
trace id a28d72db inet fw4 raw_prerouting packet: iif "phy0-sta0" ether saddr 94:a6:7e:b2:b5:eb ether daddr 94:83:c4:49:0f:d4 ip saddr 1.2.3.4 ip daddr 192.168.10.250 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 57564 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc0594c10000000021039ca61
trace id a28d72db inet fw4 raw_prerouting verdict continue
trace id a28d72db inet fw4 raw_prerouting policy accept
trace id a28d72db inet fw4 mangle_prerouting packet: iif "phy0-sta0" ether saddr 94:a6:7e:b2:b5:eb ether daddr 94:83:c4:49:0f:d4 ip saddr 1.2.3.4 ip daddr 192.168.10.250 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 57564 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc0594c10000000021039ca61
trace id a28d72db inet fw4 mangle_prerouting verdict continue
trace id a28d72db inet fw4 mangle_prerouting policy accept
trace id a28d72db inet fw4 prerouting packet: iif "phy0-sta0" ether saddr 94:a6:7e:b2:b5:eb ether daddr 94:83:c4:49:0f:d4 ip saddr 1.2.3.4 ip daddr 192.168.10.250 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 57564 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc0594c10000000021039ca61
trace id a28d72db inet fw4 prerouting verdict continue
trace id a28d72db inet fw4 prerouting policy accept
trace id a28d72db inet fw4 mangle_input packet: iif "phy0-sta0" ether saddr 94:a6:7e:b2:b5:eb ether daddr 94:83:c4:49:0f:d4 ip saddr 1.2.3.4 ip daddr 192.168.10.250 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 57564 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc0594c10000000021039ca61
trace id a28d72db inet fw4 mangle_input verdict continue
trace id a28d72db inet fw4 mangle_input policy accept
trace id a28d72db inet fw4 input packet: iif "phy0-sta0" ether saddr 94:a6:7e:b2:b5:eb ether daddr 94:83:c4:49:0f:d4 ip saddr 1.2.3.4 ip daddr 192.168.10.250 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 57564 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc0594c10000000021039ca61
trace id a28d72db inet fw4 input rule ct state established,related accept comment "!fw4: Allow inbound established and related flows" (verdict accept)

Decrypted PING reply to VPN IP

trace id 0fc22835 inet fw4 trace_chain_prerouting packet: iif "ipsec0" @ll,0,112 0x9483c4490fd494a67eb2b5eb0800 ip saddr 8.8.8.8 ip daddr 192.168.27.65 ip dscp cs0 ip ecn not-ect ip ttl 119 ip id 0 ip protocol icmp ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 0fc22835 inet fw4 trace_chain_prerouting rule ip saddr 8.8.8.8 meta nftrace set 1 (verdict continue)
trace id 0fc22835 inet fw4 trace_chain_prerouting rule meta mark & 0x00ff0000 != 0x00000000 meta nftrace set 1 (verdict continue)
trace id 0fc22835 inet fw4 trace_chain_prerouting rule icmp type { echo-reply, echo-request } meta nftrace set 1 (verdict continue)
trace id 0fc22835 inet fw4 trace_chain_prerouting verdict continue meta mark 0x00040000
trace id 0fc22835 inet fw4 trace_chain_prerouting policy accept meta mark 0x00040000
trace id 0fc22835 inet fw4 raw_prerouting packet: iif "ipsec0" @ll,0,112 0x9483c4490fd494a67eb2b5eb0800 ip saddr 8.8.8.8 ip daddr 192.168.27.65 ip dscp cs0 ip ecn not-ect ip ttl 119 ip id 0 ip protocol icmp ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 0fc22835 inet fw4 raw_prerouting verdict continue meta mark 0x00040000
trace id 0fc22835 inet fw4 raw_prerouting policy accept meta mark 0x00040000
trace id 0fc22835 inet fw4 mangle_prerouting packet: iif "ipsec0" @ll,0,112 0x9483c4490fd494a67eb2b5eb0800 ip saddr 8.8.8.8 ip daddr 192.168.27.65 ip dscp cs0 ip ecn not-ect ip ttl 119 ip id 0 ip protocol icmp ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 0fc22835 inet fw4 mangle_prerouting verdict continue meta mark 0x00040000
trace id 0fc22835 inet fw4 mangle_prerouting policy accept meta mark 0x00040000
trace id 0fc22835 inet fw4 prerouting packet: iif "ipsec0" @ll,0,112 0x9483c4490fd494a67eb2b5eb0800 ip saddr 8.8.8.8 ip daddr 192.168.27.65 ip dscp cs0 ip ecn not-ect ip ttl 119 ip id 0 ip protocol icmp ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 0fc22835 inet fw4 prerouting verdict continue meta mark 0x00040000
trace id 0fc22835 inet fw4 prerouting policy accept meta mark 0x00040000
trace id 0fc22835 inet fw4 mangle_input packet: iif "ipsec0" @ll,0,112 0x9483c4490fd494a67eb2b5eb0800 ip saddr 8.8.8.8 ip daddr 192.168.27.65 ip dscp cs0 ip ecn not-ect ip ttl 119 ip id 0 ip protocol icmp ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 0fc22835 inet fw4 mangle_input verdict continue meta mark 0x00040000
trace id 0fc22835 inet fw4 mangle_input policy accept meta mark 0x00040000
trace id 0fc22835 inet fw4 input packet: iif "ipsec0" @ll,0,112 0x9483c4490fd494a67eb2b5eb0800 ip saddr 8.8.8.8 ip daddr 192.168.27.65 ip dscp cs0 ip ecn not-ect ip ttl 119 ip id 0 ip protocol icmp ip length 84 icmp type echo-reply icmp code net-unreachable icmp id 7352 icmp sequence 0 @th,64,96 0xd7ee3c8f0000000000000000
trace id 0fc22835 inet fw4 input rule ct state established,related accept comment "!fw4: Allow inbound established and related flows" (verdict accept)

Here is one exchange for a ping -I 192.168.10.250 8.8.8.8
I see that the ICMP-request packet is mangled, then keeping the same id, converted in UDP:4500 to the IPSEC server, , and not even an UDP:4500 packet from the server is received. the VPN server refuses to answer.
It does not works. Maybe it's something about negotiating policies ?

trace for ping from WAN IP

VPN PING from WAN

trace id 25e2e22b inet fw4 trace_chain_output packet: oif "ipsec0" ip saddr 192.168.10.250 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 7561 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7355 icmp sequence 0 @th,64,96 0xa6733d8f0000000000000000
trace id 25e2e22b inet fw4 trace_chain_output rule ip daddr 8.8.8.8 meta nftrace set 1 (verdict continue)
trace id 25e2e22b inet fw4 trace_chain_output rule icmp type { echo-reply, echo-request } meta nftrace set 1 (verdict continue)
trace id 25e2e22b inet fw4 trace_chain_output verdict continue
trace id 25e2e22b inet fw4 trace_chain_output policy accept
trace id 25e2e22b inet fw4 raw_output packet: oif "ipsec0" ip saddr 192.168.10.250 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 7561 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7355 icmp sequence 0 @th,64,96 0xa6733d8f0000000000000000
trace id 25e2e22b inet fw4 raw_output verdict continue
trace id 25e2e22b inet fw4 raw_output policy accept
trace id 25e2e22b inet fw4 mangle_output packet: oif "ipsec0" ip saddr 192.168.10.250 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 7561 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7355 icmp sequence 0 @th,64,96 0xa6733d8f0000000000000000
trace id 25e2e22b inet fw4 mangle_output verdict continue
trace id 25e2e22b inet fw4 mangle_output policy accept
trace id 25e2e22b inet fw4 output packet: oif "ipsec0" ip saddr 192.168.10.250 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 7561 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7355 icmp sequence 0 @th,64,96 0xa6733d8f0000000000000000
trace id 25e2e22b inet fw4 output rule oifname { "ipsec0", "phy0-sta0" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" (verdict jump output_wan)
trace id 25e2e22b inet fw4 output_wan rule jump accept_to_wan (verdict jump accept_to_wan)
trace id 25e2e22b inet fw4 accept_to_wan rule oifname { "ipsec0", "phy0-sta0" } counter packets 8239 bytes 607537 accept comment "!fw4: accept wan IPv4/IPv6 traffic" (verdict accept)
trace id 25e2e22b inet fw4 mangle_postrouting packet: oif "ipsec0" ip saddr 192.168.10.250 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 7561 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7355 icmp sequence 0 @th,64,96 0xa6733d8f0000000000000000
trace id 25e2e22b inet fw4 mangle_postrouting verdict continue
trace id 25e2e22b inet fw4 mangle_postrouting policy accept
trace id 25e2e22b inet fw4 srcnat packet: oif "ipsec0" ip saddr 192.168.10.250 ip daddr 8.8.8.8 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 7561 ip protocol icmp ip length 84 icmp type echo-request icmp code net-unreachable icmp id 7355 icmp sequence 0 @th,64,96 0xa6733d8f0000000000000000
trace id 25e2e22b inet fw4 srcnat rule oifname { "ipsec0", "phy0-sta0" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" (verdict jump srcnat_wan)
trace id 25e2e22b inet fw4 srcnat_wan rule meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" (verdict accept)

TUNNEL to VPN note:udp length 144

trace id 25e2e22b inet fw4 trace_chain_output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509f346ab378
trace id 25e2e22b inet fw4 trace_chain_output rule ip daddr 1.2.3.4 udp dport 4500 meta nftrace set 1 (verdict continue)
trace id 25e2e22b inet fw4 trace_chain_output rule meta mark & 0x00ff0000 != 0x00000000 meta nftrace set 1 (verdict continue)
trace id 25e2e22b inet fw4 trace_chain_output rule udp dport 4500 meta nftrace set 1 (verdict continue)
trace id 25e2e22b inet fw4 trace_chain_output rule udp sport 4500 meta nftrace set 1 (verdict continue)
trace id 25e2e22b inet fw4 trace_chain_output verdict continue meta mark 0x00080000
trace id 25e2e22b inet fw4 trace_chain_output policy accept meta mark 0x00080000
trace id 25e2e22b inet fw4 raw_output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509f346ab378
trace id 25e2e22b inet fw4 raw_output verdict continue meta mark 0x00080000
trace id 25e2e22b inet fw4 raw_output policy accept meta mark 0x00080000
trace id 25e2e22b inet fw4 mangle_output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509f346ab378
trace id 25e2e22b inet fw4 mangle_output verdict continue meta mark 0x00080000
trace id 25e2e22b inet fw4 mangle_output policy accept meta mark 0x00080000
trace id 25e2e22b inet fw4 output packet: oif "phy0-sta0" @ll,0,160 0x118f65c0a80afa52408d011194119400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509f346ab378
trace id 25e2e22b inet fw4 output rule ct state established,related accept comment "!fw4: Allow outbound established and related flows" (verdict accept)
trace id 25e2e22b inet fw4 mangle_postrouting packet: iif "phy0-sta0" oif "phy0-sta0" ether saddr fa:52:40:8d:01:11 ether daddr 11:8f:65:c0:a8:0a @ll,112,48 0x9400900000c5 ip saddr 192.168.10.250 ip daddr 1.2.3.4 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 0 ip protocol udp ip length 164 udp sport 4500 udp dport 4500 udp length 144 @th,64,96 0xc519a1690000509f346ab378
trace id 25e2e22b inet fw4 mangle_postrouting verdict continue meta mark 0x00080000
trace id 25e2e22b inet fw4 mangle_postrouting policy accept meta mark 0x00080000

What shoul I look for ?

I've tried to add XFRM policies from and to 0.0.0.0/0, but it does not work better as the one installed between VIP and 0.0.0.0

I added them this way...
I've also tested with policy to/from my WAN 192.168.10.250, or without adding anything... no better.

ip xfrm add commands

ip xfrm policy add dir out src 0.0.0.0/0 dst 0.0.0.0/0 tmpl src 192.168.10.250 dst 82.64.141.1 proto esp reqid 1 mode tunnel if_id 27

ip xfrm policy add dir in src 0.0.0.0/0 dst 0.0.0.0/0 tmpl src 82.64.141.1 dst 192.168.10.250 proto esp reqid 1 mode tunnel if_id 27

ip xfrm policy add dir fwd src 0.0.0.0/0 dst 0.0.0.0/0 tmpl src 82.64.141.1 dst 192.168.10.250 proto esp reqid 1 mode tunnel if_id 27

the XFRM policies where

ip xfrm policy

src 0.0.0.0/0 dst 0.0.0.0/0
dir fwd priority 0
tmpl src 82.64.141.1 dst 192.168.10.250
proto esp reqid 1 mode tunnel
if_id 0x1b
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
tmpl src 82.64.141.1 dst 192.168.10.250
proto esp reqid 1 mode tunnel
if_id 0x1b
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
tmpl src 192.168.10.250 dst 82.64.141.1
proto esp reqid 1 mode tunnel
if_id 0x1b
src 192.168.27.65/32 dst 0.0.0.0/0
dir out priority 383615
tmpl src 192.168.10.250 dst 82.64.141.1
proto esp spi 0xc9470eb3 reqid 1 mode tunnel
if_id 0x1b
src 0.0.0.0/0 dst 192.168.27.65/32
dir fwd priority 383615
tmpl src 82.64.141.1 dst 192.168.10.250
proto esp reqid 1 mode tunnel
if_id 0x1b
src 0.0.0.0/0 dst 192.168.27.65/32
dir in priority 383615
tmpl src 82.64.141.1 dst 192.168.10.250
proto esp reqid 1 mode tunnel
if_id 0x1b
src fd03:ca54:c745::/64 dst fd03:ca54:c745::/64
dir fwd priority 134463
src fd03:ca54:c745::/64 dst fd03:ca54:c745::/64
dir in priority 134463
src fd03:ca54:c745::/64 dst fd03:ca54:c745::/64
dir out priority 134463
src 192.168.1.0/24 dst 192.168.1.0/24
dir fwd priority 175423
src 192.168.1.0/24 dst 192.168.1.0/24
dir in priority 175423
src 192.168.1.0/24 dst 192.168.1.0/24
dir out priority 175423
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0

I've tried to change the local_ts to use 0.0.0.0 but it does not help

     children {
         home {
			local_ts  = 0.0.0.0/0
            remote_ts  = 0.0.0.0/0

I've tried not to ask for the vips=0.0.0.0, but the CHILD_SA creation fails with TS_UNACCEPTABLE.

my NFT debug tricks

#I used those tricks to debug... if it can help noobs like me
nft add chain inet fw4 trace_chain_prerouting "{ type filter hook prerouting priority -301; }"
nft add chain inet fw4 trace_chain_output "{ type filter hook output priority -301; }"
nft add rule inet fw4 trace_chain_prerouting ip daddr 8.8.8.8 meta nftrace set 1
nft add rule inet fw4 trace_chain_prerouting ip saddr 8.8.8.8 meta nftrace set 1
nft add rule inet fw4 trace_chain_output ip daddr 8.8.8.8 meta nftrace set 1
nft add rule inet fw4 trace_chain_output ip saddr 8.8.8.8 meta nftrace set 1
nft add rule inet fw4 trace_chain_prerouting ip daddr 82.64.141.1 udp dport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_prerouting ip saddr 82.64.141.1 udp sport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_output ip daddr 82.64.141.1 udp dport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_output ip saddr 82.64.141.1 udp sport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_output "meta mark&0xff0000 != 0 meta nftrace set 1"
nft add rule inet fw4 trace_chain_prerouting "meta mark&0xff0000 != 0 meta nftrace set 1"
nft add rule inet fw4 trace_chain_prerouting udp dport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_prerouting udp sport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_output udp dport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_output udp sport 4500 meta nftrace set 1
nft add rule inet fw4 trace_chain_prerouting icmp type { echo-reply, echo-request } meta nftrace set 1
nft add rule inet fw4 trace_chain_output icmp type { echo-reply, echo-request } meta nftrace set 1
nft -a list chain inet fw4 trace_chain_prerouting
nft -a list chain inet fw4 trace_chain_output
nft monitor trace

and to debug while doing a test for a short time

nft monitor trace >/tmp/nft.trace & MON=$! ; for s in 192.168.27.65 192.168.10.250 192.168.1.1 ; do ping -c 1 -W 1 -I $s 8.8.8.8 ; done ; kill $MON

Try SNAT-ing the outbound ipsec traffic to the VIP.

nft insert rule inet fw4 srcnat_wan ipsec out ip daddr 0.0.0.0/0 counter snat ip to 192.168.27.65

:+1:
Ah, it was that. My Freebox VPN only work at the VIP with masquerade and thus DNAT.

I focussed too much on routing, on my router... in fact the VPN refuses any IP on my side beside his VIP... I also did not understand DNAT and masquerade are independent... it works fine.

Using ipsec.user I can generate this kind of chain

chain srcnat_ipsec_home { 
		type nat hook postrouting priority srcnat; policy accept; 
		 oifname "phy0-sta0"  meta nfproto ipv4 meta mark & 0x00080000 != 0x00080000 counter snat ip to 192.168.27.65
}

Now that it works, I'm working on making it more generic with ipsec.user, nftables.d...

Now I have a new problem,
it seems dnsmasq cannot query DNS on the IPSEC VPN.
It can resolve IP name correctly from the router,
but from LAN client, which use router as DNS (thus DNSmasq if I understand well), it does nor work...
If I change the server on the client to use the one in router's /etc/resolv.conf added by StrongSwan, it works well...
It'st the dnsmasq proxy that does not work.

I found the problem, it's not related... I'll make another post.
It's just that the list of DNS server used by DNSMASQ (/tmp/resolv.conf.d/resolv.conf.auto) is not updated correctly...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.