<div dir="ltr">I finally get things done by using <span style="font-size:12.8px">updown script and set 'charon.install_routes=no' in strongswan.conf .</span><div><span style="font-size:12.8px">In addition, I found farp plugin is still faking ARP replies for lan IPs even if I set up a passthrough policy, so I have to disable farp in strongswan.d/charon/farp.conf<br></span><div><div><span style="font-size:12.8px"><br></span></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 21, 2015 at 6:24 PM, Tom Rymes <span dir="ltr"><<a href="mailto:trymes@rymes.com" target="_blank">trymes@rymes.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div></div><div>If nothing else, you can use the updown script to add these entries, I presume?</div><div><div class="h5"><div><br>On Sep 21, 2015, at 3:41 AM, Rajiv Kulkarni <<a href="mailto:rajivkulkarni69@gmail.com" target="_blank">rajivkulkarni69@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div><div>Hi<br></div>Thats great. Yes ofcourse...addition and deletion/updation of new networks of lan in to this strongawan routing table 220 has to be done dynamically ...i dont know how at this time<br><br></div>-rajiv<br><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 21, 2015 at 9:18 AM, Rayson Zhu <span dir="ltr"><<a href="mailto:vfreex@gmail.com" target="_blank">vfreex@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Rajiv,<br><div><span style="color:rgb(51,51,51);font-family:arial;font-size:13px;line-height:20.02px">Thanks.for your reply. I</span> tried your method and now my LAN is able to access to the Internet. But dealing with routes by manual is <span style="color:rgb(51,51,51);font-family:arial;font-size:13px;line-height:20.02px">troublesome when a gateway already had complex routing tables. I will use this workaround </span><font face="arial" color="#333333"><span style="line-height:20.02px">temporarily and</span></font><span style="color:rgb(51,51,51);font-family:arial;font-size:13px;line-height:20.02px"> continue to find other solutions. </span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 20, 2015 at 11:39 PM, Rajiv Kulkarni <span dir="ltr"><<a href="mailto:rajivkulkarni69@gmail.com" target="_blank">rajivkulkarni69@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi<br><br></div>One workaround method i have been using in this scenario is to put the route you have added into table 220 - the routing table referenced by strongswan.<br></div>e,g:<br><br>ip route add <a href="http://10.10.0.0/16" target="_blank">10.10.0.0/16</a> dev lan table 220<br><br></div>- i guess it should start working with the above route in table 220<br><div><div>- the route you have added (without table 220) is included in the main routing table, which is correct, but is not referenced by strongswan<br></div><div>- this is a issue on a GW/peer, especially and only, when you have the policy "leftsubnet=your-lan" and "rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>"<br><br></div><div>But then again, iam no expert in strongswan...so you would please ask for advice and correct solution from the strongswan team itself<br><br></div><div>thanks<br></div><div>rajiv<br> <br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Sun, Sep 20, 2015 at 8:08 PM, Rayson Zhu <span dir="ltr"><<a href="mailto:vfreex@gmail.com" target="_blank">vfreex@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div dir="ltr"><p dir="ltr">Hello all,<br>The gateway of my local site has a site-to-site VPN to my remote site. I want to forward all traffic (including internet traffic) from my local site to remote site.</p><p>The ipsec.conf in local gateway:</p><p>conn %default</p><p> left=%any</p><p> leftcert=<></p><p> leftid=<></p><p> leftauth=pubkey</p><p> keyexchange=ikev2</p><p>conn site-to-site</p><p> right=<remote_ip></p><p> rightid=<></p><p> rightauth=pubkey</p><p> leftsubnet=<a href="http://10.10.0.0/23" target="_blank">10.10.0.0/23</a></p><p> rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></p><p> auto=add</p><p><br></p><p>After establishing the IPSec connection, the gateway can access to the internet through the tunnel, but at the same time the all hosts behind the gateway will lose connectivity to the gateway. </p><p>That makes sense, because the config rule 'rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>' tells IPSec to forward all traffic into tunnel, including the traffic to LAN. I added a passthrough policy like this:</p><p>conn bypasslan</p><p><span style="white-space:pre-wrap"> </span>leftsubnet=<a href="http://10.10.0.0/23" target="_blank">10.10.0.0/23</a></p><p> rightsubnet=<a href="http://10.10.0.0/23" target="_blank">10.10.0.0/23</a></p><p> type=passthrough<br></p><p><span style="white-space:pre-wrap"> </span>auto=route</p><p>But this policy does not work. Hosts in lan still cannot ping gateway.</p><p>I decided to use traceroute to see what is going on. The result shows that the traffic to LAN goes to the WAN interface without IPSec protection. I checked the route table and every thing looks normal. I tried adding a route rule 'ip route add <a href="http://10.10.0.0/16" target="_blank">10.10.0.0/16</a> dev lan' but this didn't work.</p><p>I stop the IPSec tunnel, the connection between LAN hosts with the gateway comes back.</p><p>I will be very appreciate it if you can help me solve this problem.</p><p><br></p><p>Thanks & Regards,</p><p>Rayson</p>
</div>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</blockquote></div><br></div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a></span><br><span><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></span></div></blockquote></div></div></div></blockquote></div><br></div>