[strongSwan] routing all traffic through tunnel without local one
Matthias Dahl
ml-strongswan at binary-island.eu
Sun Mar 7 16:00:59 CET 2010
Hello everyone.
I have the following setup: I have a strongSwan server on a public ip which
has no local subnet behind it. Now if I connect to it with strongSwan from my
local machine which is on a local network behind a router, I can connect to
it, ping it and use the services of my server just fine.
The problem: I want to route all my internet traffic through the server and
the local traffic should stay on the local net.
No matter what I do, I cannot get this to work. If I use the config at the end
of this mail, I end up with those policies on the client:
src 0.0.0.0/0 dst SERVER_IP/32
dir fwd priority 2000
tmpl src SERVER_IP dst 192.168.2.132
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 172.31.25.1/32
dir in priority 2000
tmpl src SERVER_IP dst 192.168.2.132
proto esp reqid 1 mode tunnel
src 172.31.25.1/32 dst 0.0.0.0/0
dir out priority 1680
tmpl src 192.168.2.132 dst SERVER_IP
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
Now _all_ traffic is routed through the tunnel, no matter if it is for the
local network or not. If I comment the appropriate LEFT|RIGHTSUBNET=0.0...
lines, I get the following policies:
src SERVER_IP/32 dst 172.31.25.1/32
dir fwd priority 1680
tmpl src SERVER_IP dst 192.168.2.132
proto esp reqid 1 mode tunnel
src SERVER_IP/32 dst 172.31.25.1/32
dir in priority 1680
tmpl src SERVER_IP dst 192.168.2.132
proto esp reqid 1 mode tunnel
src 172.31.25.1/32 dst SERVER_IP/32
dir out priority 1680
tmpl src 192.168.2.132 dst SERVER_IP
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
I tried almost everything so far but I cannot come up with a working solution.
By the way, table 220 is always empty on the client side.
I am using strongswan 4.3.6 on kernel 2.6.32.8 (server and client).
I would really appreciate any help or hints what else I could do to fix this.
Thanks a lot in advance for taking the care.
Best regards
matthias
Configuration: SERVER)
config setup
nat_traversal=yes
charonstart=yes
plutostart=no
ca "XXX CA"
cacert=ca.cert.der
auto=add
conn "XXX"
left=%defaultroute
leftcert=XXX
leftsendcert=never
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=172.31.25.0/24
rightcert=XXX
installpolicy=yes
keyexchange=ikev2
mobike=yes
auto=add
Configuration: CLIENT)
config setup
nat_traversal=yes
charonstart=yes
plutostart=no
ca "XXX CA"
cacert=ca.cert.der
auto=add
conn "XXX"
left=%defaultroute
leftsourceip=%config
rightsubnet=0.0.0.0/0
leftcert=XXX
right=XXX
rightcert=XXX
installpolicy=yes
keyexchange=ikev2
mobike=yes
auto=add
More information about the Users
mailing list