<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi all :) <div class=""><br class=""></div><div class="">I'm having trouble to set up a simple ipsec connection with overlapping networks and a passthrough connection. Therefore my question is, if there is some open bug at the moment so that it cannot work.</div><div class=""><br class=""></div><div class="">My configuration: </div><div class="">ipsec.conf (Client): </div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">config setup</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>charonstart=yes</div></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class="">conn Router3</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>keyexchange=ikev2</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> right=185.48.118.115</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> rightid=@serverside</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> rightsubnet=10.1.0.0/16</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>left=%any</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> leftsubnet=10.1.13.0/24</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> leftid=@router</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>auto=start</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> authby=secret</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> ikelifetime=323s</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> keylife=771s</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> rekeymargin=151s</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> keyingtries= 1</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>leftfirewall=yes</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>mobike=no</div><div style="font-size: 11px; font-family: Menlo; margin: 0px; min-height: 13px;" class=""><br class=""></div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class="">conn passthrough</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> rightsubnet=10.1.13.0/24</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> leftsubnet=10.1.13.0/24</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> type=pass</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""> auto=route</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>authby=never (There is no different if I write this line or not)</div><div style="font-size: 11px; font-family: Menlo; margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">ipsec.conf (Server side) </div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">config setup</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span># strictcrlpolicy=yes</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span># uniqueids = no</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>charonstart=yes</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>plutostart=no</div><div style="margin: 0px; font-size: 11px; font-family: Menlo; min-height: 13px;" class=""><br class=""></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">conn %default</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>keyexchange=ikev2</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> left=185.48.118.115</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> leftid=@serverside</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> leftsubnet=10.1.0.0/16</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>right=%any</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> auto=add</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> authby=secret</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> ikelifetime=41s</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> keylife=89s</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> rekeymargin=21s</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>mobike=no</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>esp=aes128-sha1-modp2048</div><div style="margin: 0px; font-size: 11px; font-family: Menlo; min-height: 13px;" class=""><br class=""></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">conn Router3</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>rightsubnet=10.1.13.0/24</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> rightid=@router</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>ikelifetime=323s</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> keylife=771s</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> rekeymargin=151s</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>leftfirewall=yes</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px;" class="">The connection will be set up but the clients behind the router in the subnet of 10.1.13.0/24 cannot connect to the router and therefore also not connecting to the other network. I also played around with leftsourceip for the client and lefthostaccess but both did not changed the situation. </div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">Here is the output of ipsec statusall: </div><div style="margin: 0px;" class=""><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-39-generic, x86_64):</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> uptime: 22 minutes, since Sep 02 22:08:00 2015</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> malloc: sbrk 2433024, mmap 0, used 418432, free 2014592</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 242</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> loaded plugins: charon addrblock aes attr ccm cmac constraints ctr eap-identity gcm md4 openssl pkcs12 pkcs7 pkcs8 rc2 resolve test-vectors xcbc sha1 sha2 md5 pem pkcs1 random nonce x509 revocation hmac stroke kernel-netlink socket-default updown</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">Listening IP addresses:</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> 192.168.1.162</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> 10.1.13.1</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> 192.168.3.1</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">Connections:</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3: %any...185.48.118.115 IKEv2</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3: local: [router] uses pre-shared key authentication</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3: remote: [serverside] uses pre-shared key authentication</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3: child: 10.1.13.0/24 === 10.1.0.0/16 TUNNEL</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> passthrough: %any...%any IKEv2</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> passthrough: local: uses public key authentication</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> passthrough: remote: uses public key authentication</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> passthrough: child: 10.1.13.0/24 === 10.1.13.0/24 PASS</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">Shunted Connections:</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> passthrough: 10.1.13.0/24 === 10.1.13.0/24 PASS</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">Security Associations (1 up, 0 connecting):</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3[733]: ESTABLISHED 9 seconds ago, 192.168.1.162[router]…185.48.118.115[serverside]</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3[733]: IKEv2 SPIs: 05ffa0afc04432df_i* 5d4055a12121b030_r, pre-shared key reauthentication in 7 seconds</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3[733]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c9b05f98_i c1028cf3_o</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""> Router3{1}: 10.1.13.0/24 === 10.1.0.0/16 </div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px;" class="">If I compare that to the output from the test examples (<a href="https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html" class="">https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html</a> and <a href="https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html" class="">https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html</a>) they look nearly the same. But I actually cannot figure out why I cannot connect to 10.1.13.1</div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">So is there a bug around or do I overlook something in my configuration. </div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">Thanks in advance! </div><div style="margin: 0px;" class=""><br class=""></div><div style="margin: 0px;" class="">Kind regards</div><div style="margin: 0px;" class="">Christian </div><div class=""><br class=""></div></div></div></div></body></html>