1 (edited by acaN 2017-02-13 11:00:59)

Topic: strongswan clients can't reach switch

Hello!

I need help with setting up what looked like quite simple net:

I have two openwrt devices: TP-Link WDR3500 and WR1043; my private network is 172.20.20.0/24

I use 3500 as a router/ap, but as it is not a gigabit switch, i use my spare 1043 as a "dumb switch" with static 172.20.20.2 and no AP, firewall or wan.
Desktop (dhcp client) and NAS (static) are connected to the 1043.

Scheme is as follows:

            r1                r2         Desktop
      172.20.20.1      172.20.20.2    /
WAN -     WDR3500   -        WR1043
            |                        \
          IKEv2                         NAS
     172.20.20.64/29

Desktop got its address via DHCP from r1 with a noticeable delay, but still got it. NAS is accessible from desktop and WLAN clients.

Issue is that clients from IKEv2 are unable to connect or even ping 172.20.20.2 and NAS/Desktop.

1043 has all ports in one vlan, but it seems that i am missing something — do i need to set up a route?

Could you, please, help?

Re: strongswan clients can't reach switch

Jesus.  That's a mess(said with love).  Yes, you will need to add routes to all the routers most likely.  First, I'm guessing R1 and R2 are a /24? That is pertinent info. What kind of clients?  Routers, PCs, smartphones?  Why don't you post your ipsec.conf from server and client. Then do a tracroute from a client and the desktop:

ip route show table 220

ipsec statusall

It might become all clear with just that.

CB

Re: strongswan clients can't reach switch

sloppyTypist wrote:

Jesus.  That's a mess(said with love).  Yes, you will need to add routes to all the routers most likely.
CB

Thank you a lot!

Actually, it seems that strongswan config was an issue.

Now when i changed leftsubnet to halves of internet (0.0.0.0/1 and 128.0.0.0/1) and also explicitly added my /24 private net, ipsec clients are able to connect to NAS.

Yet i cannot see any reason why 0.0.0.0/0 did not suit.

Re: strongswan clients can't reach switch

I would have to see your configs to say for sure, but I'm glad that worked.