[strongSwan] Routing between Tunnels

Ingmar Rosenhagen IRosenhagen at gmx.net
Wed Jul 6 03:10:31 CEST 2011 

Hi,

after solving my problem with connection an android-device to strongswan (--enable-nat-transport was needed) I'm running in some trouble getting my routing straight.
   
My network looks like this:

      
 strongswan-gw1
  192.168.178.3
       |
       |
192.168.178.0/24
   homerouter
       dynamic ip
       |
       |
     static ip------------dynamic-ip/NAT--mobile-client
   strongswan-gw2

I've set up the tunnels between strongswan-gw1<-->strongswang-gw2 and strongswan-gw2<-->mobile-client. But I can't figure out how to get routing working so that the mobile-client can access the home-network.

I've tried to work with virtual-ips an assign ips in the same range to the mobile-client and strongswan-gw1. But packets which are send from the mobile client are not reaching strongswan-gw1. I can see them arriving on strongswan-gw2. But there they are not send via the next tunnel, even with ip_forwarding enabled. 

I think I've made a major mistake somewhere, but I couldn't find examples for a situation likes this. Any hints are appreciated.

strongswan-gw1:

conn gw1-gw2
      left=192.168.178.3
      leftsubnet=192.168.178.0/24
      leftcert=gw1.pem
      leftsendcert=never
      leftsourceip=10.0.0.1
      right=88.77.66.55
      rightsubnet=10.0.0.0/24
      rightcert=gw2.pem
      keyexchange=ikev2
      type=tunnel
      auto=start

strongswan-gw2:
conn gw1-gw2
      left=88.77.66.55
      leftsubnet=10.0.0.0/24
      leftcert=gw2.pem
      leftsendcert=never
      right=dyndns.ip
      rightsubnet=192.168.178.0/24
      rightcert=gw1.pem
      keyexchange=ikev2
      type=tunnel
      auto=add

conn rw
     left=88.77.66.55
     leftsubnet=192.168.178.0/24
     leftcert=gw2.pem
     leftsendcert=never
     right=%any
     rightcert=rw.pem
     rightsourceip=%config
     keyexchange=ikev2
     auto=add

mobile-client:
conn rw
      left=%defaultroute
      leftcert=rw.pem
      leftsendcert=never
      leftsourceip=10.0.0.2
      right=88.77.66.55
      rightsubnet=192.168.178.0/24
      rightcert=wiederkaeuer.pem
      keyexchange=ikev2
      auto=add

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

More information about the Users mailing list