
<div dir="ltr"><div>Hi Andy,</div><div> </div><div>The routing on the 10.4.0.0 spoke is configured that any communication to the following subnets </div><div><a href="http://10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16">10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16</a> will be routed to the Strongswan VPN gateway public IP (I've yet to setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)</div>

<div> </div><div>When I try to connect to an address in the <a href="http://10.6.0.0/16">10.6.0.0/16</a> subnet it should be routed through to the hub and then back out to the other spoke but currently it fails.</div><div>

Connections to 172.16.0.1 are made successfully.</div><div> </div><div>The routing on the 10.6.0.0 spoke is configured that any communication to the following subnets<br><a href="http://10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16">10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16</a> will be routed to the Strongswan VPN gateway public IP (I've yet to setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)</div>

<div> </div><div><div>When I try to connect to an address in the <a href="http://10.4.0.0/16">10.4.0.0/16</a> subnet it should be routed through to the hub and then back out to the other spoke but currently it fails.</div>

</div><div class="gmail_extra">Connections to 172.16.0.1 are made successfully.</div><div class="gmail_extra"><br>Many Thanks,</div><div class="gmail_extra"> </div><div class="gmail_extra">Kevin</div><div class="gmail_extra">

<br> </div><div class="gmail_quote">On Fri, Aug 30, 2013 at 10:59 AM, Paton, Andy <span dir="ltr"><<a href="mailto:andy.paton@hp.com" target="_blank">andy.paton@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">


<div lang="EN-US" vlink="purple" link="blue">

<div>

<p><span style="color:rgb(31,73,125);font-family:"HP Simplified Light","sans-serif";font-size:10pt">What is your routing setup on the spokes?<u></u><u></u></span></p>

<p><span style="color:rgb(31,73,125);font-family:"HP Simplified Light","sans-serif";font-size:10pt"><u></u> <u></u></span></p>

<p><span style="color:rgb(31,73,125);font-family:"HP Simplified Light","sans-serif";font-size:10pt">Regards,<u></u><u></u></span></p>

<p><span style="color:rgb(31,73,125);font-family:"HP Simplified Light","sans-serif";font-size:10pt"><u></u> <u></u></span></p>

<p><b><span style="font-family:"HP Simplified","sans-serif";font-size:9pt">Andy Paton -

</span></b><span style="color:rgb(38,38,38);font-family:"HP Simplified","sans-serif";font-size:9pt">Bsc. (Hons), MBCS</span><b><span style="font-family:"HP Simplified","sans-serif";font-size:9pt"><br>


</span></b><span style="color:rgb(113,113,114);font-family:"HP Simplified","sans-serif";font-size:9pt">Innovation Engineer<br>

<br>

<a href="mailto:andy.paton@hp.com" target="_blank"><span style="color:rgb(113,113,114)">andy.paton@hp.com</span></a><br>

<br>

<br>

</span><a href="http://www.hp.com/" target="_blank"><span style="color:rgb(113,113,114);font-family:"HP Simplified","sans-serif";font-size:9pt;text-decoration:none"><img width="30" height="30" alt="HP" border="0"></span></a><span style="color:rgb(31,73,125);font-family:"Calibri","sans-serif";font-size:11pt"><u></u><u></u></span></p>


<p><span style="color:rgb(31,73,125);font-family:"HP Simplified Light","sans-serif";font-size:10pt"><u></u> <u></u></span></p>

<p><b><span style="font-family:"Calibri","sans-serif";font-size:11pt">From:</span></b><span style="font-family:"Calibri","sans-serif";font-size:11pt"> users-bounces+andy.paton=<a href="mailto:hp.com@lists.strongswan.org" target="_blank">hp.com@lists.strongswan.org</a> [mailto:<a href="mailto:users-bounces%2Bandy.paton" target="_blank">users-bounces+andy.paton</a>=<a href="mailto:hp.com@lists.strongswan.org" target="_blank">hp.com@lists.strongswan.org</a>]

<b>On Behalf Of </b>Kevin Palmer<br>

<b>Sent:</b> 30 August 2013 10:32<br>

<b>To:</b> <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>

<b>Subject:</b> [strongSwan] Strongswan as a VPN Hub with a single network adapter<u></u><u></u></span></p><div><div class="h5">

<p><u></u> <u></u></p>

<div>

<div>

<p><span style="font-family:"Calibri","sans-serif"">Hi,</span><u></u><u></u></p>

</div>

<div>

<p> <u></u><u></u></p>

</div>

<div>

<p><span style="font-family:"Calibri","sans-serif"">I have just been using Strongswan for the first time and firstly I’d like to say how impressed I was in how easy it was to setup the VPN tunnels. I got my two tunnels working

 within about 20 minutes of installing Strongswan.</span><u></u><u></u></p>

</div>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">I have got a hub and two spokes and once the two tunnels were established I can successfully communicate between the spokes and the hub.</span><u></u><u></u></p>


<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">The problem I’ve got however is that each ‘Spoke’ of the VPN cannot contact other spokes in the VPN.</span><u></u><u></u></p>


<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">My first thought that this was that IPv4 Forwarding needs to be enabled however enabling IPv4 Forwarding did not solve the problem.</span><u></u><u></u></p>


<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">I’ve also tried adding each spoke subnet as ‘Left’ subnets in the other connections in ipsec.conf but Strongswan reports “no local address found in traffic

 selector <a href="http://10.6.0.0/24" target="_blank">10.6.0.0/24</a>” as that subnet is not allocated to my adapter.</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">The other points to note is that my machine has only one network adapter which is connected to the internet so to get a local subnet I added a second IP

 address to the adapter (eth0:0)</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">Does anyone have any suggestions on what I should try text?</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">Configuration below…</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">Thanks,</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">Kevin</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><b><span style="font-family:"Calibri","sans-serif"">Interfaces</span></b><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">auto eth0</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">iface eth0 inet static</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">    address xxx.xxx.xxx.xxx</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">    gateway zzz.zzz.zzz.zzz</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">    netmask 255.255.252.0</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">auto lo</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">iface lo inet loopback</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">auto eth0:0</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">iface eth0:0 inet static</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">    address 172.16.0.1</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">    netmask 255.255.0.0</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><b><span style="font-family:"Calibri","sans-serif"">ipsec.conf</span></b><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""># ipsec.conf - strongSwan IPsec configuration file</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""># basic configuration</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">config setup</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">        # plutodebug=all</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">        # crlcheckinterval=600</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">        # strictcrlpolicy=yes</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">        # cachecrls=yes</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">        nat_traversal=yes</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">        charonstart=yes</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">        plutostart=yes</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""># Add connections here.</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">conn %default</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     ikelifetime=60m</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     keylife=20m</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     rekeymargin=3m</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     keyingtries=1</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     keyexchange=ikev2</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     authby=secret</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     mobike=yes</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""># CSVNETKP Connection</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">conn csvnetkp</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">      left=%any</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">      leftsubnet=<a href="http://172.16.0.0/24,10.6.0.0/24" target="_blank">172.16.0.0/24,10.6.0.0/24</a></span></i><u></u><u></u></p>


<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     

<a href="mailto:leftid=@csvpn.local" target="_blank">leftid=@csvpn.local</a></span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">      right=aaa.aaa.aaa.aaa</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">      rightsubnet=<a href="http://10.4.0.0/16" target="_blank">10.4.0.0/16</a></span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">      auto=route</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">      esp=aes256</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">conn csvnetmsdn2</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     left=%any</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     leftsubnet=<a href="http://172.16.0.0/24,10.4.0.0/16" target="_blank">172.16.0.0/24,10.4.0.0/16</a></span></i><u></u><u></u></p>


<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">    

<a href="mailto:leftid=@csvpn.cirrasoft.local" target="_blank">leftid=@csvpn.cirrasoft.local</a></span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     right=bbb.bbb.bbb.bbb</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     rightsubnet=<a href="http://10.6.0.0/16" target="_blank">10.6.0.0/16</a></span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     auto=route</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif"">     esp=aes256</span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><i><span style="font-family:"Calibri","sans-serif""> </span></i><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">Where

</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">xxx.xxx.xxx.xxx is my Public facing address</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">zzz.zzz.zzz.zzz is my ISP gateway</span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">aaa.aaa.aaa.aaa is the Gateway of ‘spoke’ Subnet

<a href="http://10.4.0.0/16" target="_blank">10.4.0.0/16</a></span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif"">bbb.bbb.bbb.bbb is the Gateway of ‘spoke’ Subnet

<a href="http://10.6.0.0/16" target="_blank">10.6.0.0/16</a></span><u></u><u></u></p>

<p style="margin:0cm 0cm 0pt"><span style="font-family:"Calibri","sans-serif""> </span><u></u><u></u></p>

<div>

<p><span style="font-family:"Calibri","sans-serif"">And I have my PSK’s in the secrets file mapped to the two gateways.</span><u></u><u></u></p>

</div>

<div>

<p> <u></u><u></u></p>

</div>

<div>

<p><span style="font-family:"Calibri","sans-serif"">If anyone can help this would be much appreciated..</span><u></u><u></u></p>

</div>

<div>

<p> <u></u><u></u></p>

</div>

<div>

<p><span style="font-family:"Calibri","sans-serif"">I'm sure I am almost there but... not quite!</span><u></u><u></u></p>

</div>

<div>

<p> <u></u><u></u></p>

</div>

<div>

<p><span style="font-family:"Calibri","sans-serif"">Many Thanks,</span><u></u><u></u></p>

</div>

<div>

<p> <u></u><u></u></p>

</div>

<div>

<p><span style="font-family:"Calibri","sans-serif"">Kevin</span><u></u><u></u></p>

</div>

</div>

</div></div></div>

</div>


</blockquote></div><div class="gmail_extra"><br></div></div>