[strongSwan] Strongswan 4.5.1 sqlite database passthrough
CETIAD - Fabrice Barconnière
fabrice.barconniere at ac-dijon.fr
Thu Jun 23 16:58:43 CEST 2011
Hello,
I've established tunnels between 2 gateway.
Gateway A has these subnets behind : 10.0.0.0/8, 192.168.0.0/16,
172.16.0.0.12
Gateway B has these subnets behind : 10.21.11.0/24, 172.16.0.0/24,
10.121.11.0/24
Each gateway B subnets must reach all of gateway A subnets.
As you can see, some gateway B subnets address are included in gateway A
subnets.
If tunnels are all up, station on 10.21.11.0/24 subnet can't ping
gateway B interface (10.21.11.1).
Security Associations:
sphynx test ARV-amon test ARV[3]: ESTABLISHED 36 minutes ago,
192.168.10.10[C=fr, O=gouv, OU=education, OU=ac-dijon,
CN=0210066H-15]...192.168.10.5[C=fr, O=gouv, OU=education, OU=ac-dijon,
CN=AGRIATES-DIJON-10]
admin-reseau172{27}: INSTALLED, TUNNEL, ESP SPIs: c049306f_i c98a1913_o
admin-reseau172{27}: 10.21.11.0/24 === 172.16.0.0/12
pedago-reseau192{28}: INSTALLED, TUNNEL, ESP SPIs: cbdea841_i ca1a83c7_o
pedago-reseau192{28}: 172.16.0.0/24 === 192.168.0.0/16
dmz-reseau10{22}: INSTALLED, TUNNEL, ESP SPIs: c0a9d3f7_i c0f935f6_o
dmz-reseau10{22}: 10.121.11.0/24 === 10.0.0.0/8
pedago-reseau10{29}: INSTALLED, TUNNEL, ESP SPIs: c1ff691f_i ca05cc51_o
pedago-reseau10{29}: 172.16.0.0/24 === 10.0.0.0/8
dmz-reseau192{21}: INSTALLED, TUNNEL, ESP SPIs: c06446da_i c1759a05_o
dmz-reseau192{21}: 10.121.11.0/24 === 192.168.0.0/16
dmz-reseau172{23}: INSTALLED, TUNNEL, ESP SPIs: cc32c507_i c32a0db0_o
dmz-reseau172{23}: 10.121.11.0/24 === 172.16.0.0/12
admin-reseau192{25}: INSTALLED, TUNNEL, ESP SPIs: cf791d67_i ca4fe64e_o
admin-reseau192{25}: 10.21.11.0/24 === 192.168.0.0/16
admin-reseau10{26}: INSTALLED, TUNNEL, ESP SPIs: c35751dd_i c99ff1c8_o
admin-reseau10{26}: 10.21.11.0/24 === 10.0.0.0/8
pedago-reseau172{30}: INSTALLED, TUNNEL, ESP SPIs: c7c5c075_i cf9f62a0_o
pedago-reseau172{30}: 172.16.0.0/24 === 172.16.0.0/12
If i set down admin-reseau10{26} tunnel, station can ping 10.21.11.1.
I've configured exceptions as that :
#!/usr/sbin/setkey -f
#exécute les opérations indiquées jusqu'à EOF
spdadd 192.168.10.0/25 192.168.10.0/25 any -P in none;
spdadd 192.168.10.0/25 192.168.10.0/25 any -P out none;
spdadd 192.168.10.0/25 192.168.10.0/25 any -P fwd none;
spdadd 192.168.10.0/25 10.21.11.0/24 any -P in none;
spdadd 192.168.10.0/25 10.21.11.0/24 any -P out none;
spdadd 192.168.10.0/25 10.21.11.0/24 any -P fwd none;
spdadd 192.168.10.0/25 172.16.0.0/24 any -P in none;
spdadd 192.168.10.0/25 172.16.0.0/24 any -P out none;
spdadd 192.168.10.0/25 172.16.0.0/24 any -P fwd none;
spdadd 192.168.10.0/25 10.121.11.0/24 any -P in none;
spdadd 192.168.10.0/25 10.121.11.0/24 any -P out none;
spdadd 192.168.10.0/25 10.121.11.0/24 any -P fwd none;
spdadd 10.21.11.0/24 192.168.10.0/25 any -P in none;
spdadd 10.21.11.0/24 192.168.10.0/25 any -P out none;
spdadd 10.21.11.0/24 192.168.10.0/25 any -P fwd none;
spdadd 10.21.11.0/24 10.21.11.0/24 any -P in none;
spdadd 10.21.11.0/24 10.21.11.0/24 any -P out none;
spdadd 10.21.11.0/24 10.21.11.0/24 any -P fwd none;
spdadd 10.21.11.0/24 172.16.0.0/24 any -P in none;
spdadd 10.21.11.0/24 172.16.0.0/24 any -P out none;
spdadd 10.21.11.0/24 172.16.0.0/24 any -P fwd none;
spdadd 10.21.11.0/24 10.121.11.0/24 any -P in none;
spdadd 10.21.11.0/24 10.121.11.0/24 any -P out none;
spdadd 10.21.11.0/24 10.121.11.0/24 any -P fwd none;
spdadd 172.16.0.0/24 192.168.10.0/25 any -P in none;
spdadd 172.16.0.0/24 192.168.10.0/25 any -P out none;
spdadd 172.16.0.0/24 192.168.10.0/25 any -P fwd none;
spdadd 172.16.0.0/24 10.21.11.0/24 any -P in none;
spdadd 172.16.0.0/24 10.21.11.0/24 any -P out none;
spdadd 172.16.0.0/24 10.21.11.0/24 any -P fwd none;
spdadd 172.16.0.0/24 172.16.0.0/24 any -P in none;
spdadd 172.16.0.0/24 172.16.0.0/24 any -P out none;
spdadd 172.16.0.0/24 172.16.0.0/24 any -P fwd none;
spdadd 172.16.0.0/24 10.121.11.0/24 any -P in none;
spdadd 172.16.0.0/24 10.121.11.0/24 any -P out none;
spdadd 172.16.0.0/24 10.121.11.0/24 any -P fwd none;
spdadd 10.121.11.0/24 192.168.10.0/25 any -P in none;
spdadd 10.121.11.0/24 192.168.10.0/25 any -P out none;
spdadd 10.121.11.0/24 192.168.10.0/25 any -P fwd none;
spdadd 10.121.11.0/24 10.21.11.0/24 any -P in none;
spdadd 10.121.11.0/24 10.21.11.0/24 any -P out none;
spdadd 10.121.11.0/24 10.21.11.0/24 any -P fwd none;
spdadd 10.121.11.0/24 172.16.0.0/24 any -P in none;
spdadd 10.121.11.0/24 172.16.0.0/24 any -P out none;
spdadd 10.121.11.0/24 172.16.0.0/24 any -P fwd none;
spdadd 10.121.11.0/24 10.121.11.0/24 any -P in none;
spdadd 10.121.11.0/24 10.121.11.0/24 any -P out none;
spdadd 10.121.11.0/24 10.121.11.0/24 any -P fwd none;
It doesn't work better even with high priority.
Is there another solution or syntax ?
Thanks
More information about the Users
mailing list