[strongSwan] net-to-net with one gateway behind NAT

Alexis Salinas alexis.salinas at inmotiontechnology.com
Tue Nov 16 21:19:38 CET 2010 

Hello Martin,
Sorry it took me so long to set this up. Here is the output with the patch. I think it makes sense, but is no longer giving me the error. It may had something to do with the fact that I loaded the patch in the newest version of strongswan (4.5.0), maybe I should try again with the older version and see what is different:

 
01[KNL] getting a local address in traffic selector 0.0.0.0/0
01[KNL] using host %any
01[KNL] getting address to reach 174.90.237.73
01[KNL] getting interface name for 192.168.21.100
01[KNL] 192.168.21.100 is on interface eth0
01[KNL] installing route: 172.22.0.0/28 via 192.168.21.20 src %any dev eth0
01[KNL] getting iface index for eth0
01[KNL] getting interface name for 192.168.21.100
01[KNL] 192.168.21.100 is on interface eth0
01[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
01[NET] sending packet: from 192.168.21.100[4500] to 174.90.237.73[4500]
04[KNL] received a XFRM_MSG_MAPPING


Also, I can see table 220 created:
# ip route show table 220
172.22.0.0/28 via 192.168.21.20 dev eth0  proto static

# ip rule
0:      from all lookup local
220:    from all lookup 220
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

Cheers,
Alexis

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: November-11-10 1:04 AM
To: Alexis Salinas
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] net-to-net with one gateway behind NAT

Hi Alexis,

> getting a local address in traffic selector 0.0.0.0/0 using host %any 
> getting address to reach 174.90.242.85 getting interface name for 
> 192.168.21.100 192.168.21.100 is on interface eth0 getting iface index 
> for eth0 received netlink error: No such process (3) unable to install 
> source route for %any

Yes, I have seen this error once. But I was unable to reproduce or fix it. The daemon tries to install a source route for this policy, like:

  ip route add 172.22.0.0/28 via GATEWAY src 192.168.21.100 dev eth0

But the kernel does not like that route. Maybe the gateway lookup does not work correctly on your setup, hard to say.

Please apply the attached patch. It shows the complete route the daemon tries to install. Does that route makes sense for your setup?

Regards
Martin

More information about the Users mailing list