[strongSwan] strongswan subnet routing

Andris Lismanis andris at lismanis.co.uk
Thu Nov 4 22:50:29 CET 2010 

Hi Andreas

Thanks for your reply. Here are the details below:

Diagram:

rw----router1----internet----router2----server----subnet----hosts

rw - a virtual machine with IP of 10.0.2.15 running strongswan on Ubuntu 10.10
router1 - simple home adsl router with no inbound ports open
router2 - simple home adsl router with inbound ports 500 and 4500 (both UDP) open to server (192.168.1.3). Router had static public IP and static internal IP.
server - physical machine with one network card with ip of 192.168.1.3
hosts - other machines connected to router2 via 192.168.1.0/24 subnet

ipsec.conf - server

config setup
        plutodebug=control
        charonstart=no
        nat_traversal=yes

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn net-net
        left=192.168.1.3
        leftsubnet=192.168.1.0/24
        leftnexthop=192.168.1.1
        leftfirewall=yes
        leftid=@server
        right=%any
        rightsubnetwithin=10.0.2.0/24
        rightid=@rw
        auto=add

ipsec.conf - rw

config setup
        plutodebug=control
        charonstart=no
        nat_traversal=yes

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn net-net
        left=10.0.2.15
        leftsubnet=10.0.2.0/24
        leftfirewall=yes
        leftid=@rw
        right=62.123.123.123  # public IP of router2
        rightsubnetwithin=192.168.1.0/24
        rightid=@server
        auto=start

As I mentioned initially I have successfully established the tunnel and can ping both ways - rw to server and vice versa.

Andris

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: 04 November 2010 21:18
To: Andris Lismanis
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] strongswan subnet routing

Hello Andris,

a network diagram and the ipsec.conf files on both sides would help!

Regards

Andreas

On 11/04/2010 06:23 PM, Andris Lismanis wrote:
> Hi,
>
> I have managed to setup a tunnel between two hosts which are behind 
> firewalls (adsl routers). E.g. rw--adsl---internet---adsl--server 
> (with one eth)----subnet. The problem is that I can ping and access 
> the 'server' but cannot access any other hosts in the subnet. I have 
> enabled ip forwarding in sysctl but with no luck. I can also see host 
> addresses appearing in ARP cache when I try to ping other hosts from rw.
>
> Is there an option that I have not enabled? Do I need to use iptables 
> to forward the packets forward and backward?
>
> Any help would be appriciated.
>
> Thanks,
>
> Andris Lismanis

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list