[strongSwan] Strongswan 4.5.1 sqlite database passthrough

CETIAD - Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Fri Jun 24 10:24:10 CEST 2011


Hello,

I post again the message, i wasn't in the userlist.

I've established tunnels between 2 gateway.
Gateway A has these subnets behind : 10.0.0.0/8, 192.168.0.0/16, 
172.16.0.0.12
Gateway B has these subnets behind : 10.21.11.0/24, 172.16.0.0/24, 
10.121.11.0/24

Each gateway B subnets must reach all of gateway A subnets.

As you can see, some gateway B subnets address are included in gateway A 
subnets.

If tunnels are all up, station on 10.21.11.0/24 subnet can't ping 
gateway B interface (10.21.11.1).
Security Associations:
sphynx test ARV-amon test ARV[3]: ESTABLISHED 36 minutes ago, 
192.168.10.10[C=fr, O=gouv, OU=education, OU=ac-dijon, 
CN=0210066H-15]...192.168.10.5[C=fr, O=gouv, OU=education, OU=ac-dijon, 
CN=AGRIATES-DIJON-10]
admin-reseau172{27}:  INSTALLED, TUNNEL, ESP SPIs: c049306f_i c98a1913_o
admin-reseau172{27}:   10.21.11.0/24 === 172.16.0.0/12
pedago-reseau192{28}:  INSTALLED, TUNNEL, ESP SPIs: cbdea841_i ca1a83c7_o
pedago-reseau192{28}:   172.16.0.0/24 === 192.168.0.0/16
dmz-reseau10{22}:  INSTALLED, TUNNEL, ESP SPIs: c0a9d3f7_i c0f935f6_o
dmz-reseau10{22}:   10.121.11.0/24 === 10.0.0.0/8
pedago-reseau10{29}:  INSTALLED, TUNNEL, ESP SPIs: c1ff691f_i ca05cc51_o
pedago-reseau10{29}:   172.16.0.0/24 === 10.0.0.0/8
dmz-reseau192{21}:  INSTALLED, TUNNEL, ESP SPIs: c06446da_i c1759a05_o
dmz-reseau192{21}:   10.121.11.0/24 === 192.168.0.0/16
dmz-reseau172{23}:  INSTALLED, TUNNEL, ESP SPIs: cc32c507_i c32a0db0_o
dmz-reseau172{23}:   10.121.11.0/24 === 172.16.0.0/12
admin-reseau192{25}:  INSTALLED, TUNNEL, ESP SPIs: cf791d67_i ca4fe64e_o
admin-reseau192{25}:   10.21.11.0/24 === 192.168.0.0/16
admin-reseau10{26}:  INSTALLED, TUNNEL, ESP SPIs: c35751dd_i c99ff1c8_o
admin-reseau10{26}:   10.21.11.0/24 === 10.0.0.0/8
pedago-reseau172{30}:  INSTALLED, TUNNEL, ESP SPIs: c7c5c075_i cf9f62a0_o
pedago-reseau172{30}:   172.16.0.0/24 === 172.16.0.0/12

If i set down admin-reseau10{26} tunnel, station can ping 10.21.11.1.

I've configured exceptions as that :
#!/usr/sbin/setkey -f

#exécute les opérations indiquées jusqu'à EOF

spdadd 192.168.10.0/25 192.168.10.0/25 any -P in none;
spdadd 192.168.10.0/25 192.168.10.0/25 any -P out none;
spdadd 192.168.10.0/25 192.168.10.0/25 any -P fwd none;
spdadd 192.168.10.0/25 10.21.11.0/24 any -P in none;
spdadd 192.168.10.0/25 10.21.11.0/24 any -P out none;
spdadd 192.168.10.0/25 10.21.11.0/24 any -P fwd none;
spdadd 192.168.10.0/25 172.16.0.0/24 any -P in none;
spdadd 192.168.10.0/25 172.16.0.0/24 any -P out none;
spdadd 192.168.10.0/25 172.16.0.0/24 any -P fwd none;
spdadd 192.168.10.0/25 10.121.11.0/24 any -P in none;
spdadd 192.168.10.0/25 10.121.11.0/24 any -P out none;
spdadd 192.168.10.0/25 10.121.11.0/24 any -P fwd none;
spdadd 10.21.11.0/24 192.168.10.0/25 any -P in none;
spdadd 10.21.11.0/24 192.168.10.0/25 any -P out none;
spdadd 10.21.11.0/24 192.168.10.0/25 any -P fwd none;
spdadd 10.21.11.0/24 10.21.11.0/24 any -P in none;
spdadd 10.21.11.0/24 10.21.11.0/24 any -P out none;
spdadd 10.21.11.0/24 10.21.11.0/24 any -P fwd none;
spdadd 10.21.11.0/24 172.16.0.0/24 any -P in none;
spdadd 10.21.11.0/24 172.16.0.0/24 any -P out none;
spdadd 10.21.11.0/24 172.16.0.0/24 any -P fwd none;
spdadd 10.21.11.0/24 10.121.11.0/24 any -P in none;
spdadd 10.21.11.0/24 10.121.11.0/24 any -P out none;
spdadd 10.21.11.0/24 10.121.11.0/24 any -P fwd none;
spdadd 172.16.0.0/24 192.168.10.0/25 any -P in none;
spdadd 172.16.0.0/24 192.168.10.0/25 any -P out none;
spdadd 172.16.0.0/24 192.168.10.0/25 any -P fwd none;
spdadd 172.16.0.0/24 10.21.11.0/24 any -P in none;
spdadd 172.16.0.0/24 10.21.11.0/24 any -P out none;
spdadd 172.16.0.0/24 10.21.11.0/24 any -P fwd none;
spdadd 172.16.0.0/24 172.16.0.0/24 any -P in none;
spdadd 172.16.0.0/24 172.16.0.0/24 any -P out none;
spdadd 172.16.0.0/24 172.16.0.0/24 any -P fwd none;
spdadd 172.16.0.0/24 10.121.11.0/24 any -P in none;
spdadd 172.16.0.0/24 10.121.11.0/24 any -P out none;
spdadd 172.16.0.0/24 10.121.11.0/24 any -P fwd none;
spdadd 10.121.11.0/24 192.168.10.0/25 any -P in none;
spdadd 10.121.11.0/24 192.168.10.0/25 any -P out none;
spdadd 10.121.11.0/24 192.168.10.0/25 any -P fwd none;
spdadd 10.121.11.0/24 10.21.11.0/24 any -P in none;
spdadd 10.121.11.0/24 10.21.11.0/24 any -P out none;
spdadd 10.121.11.0/24 10.21.11.0/24 any -P fwd none;
spdadd 10.121.11.0/24 172.16.0.0/24 any -P in none;
spdadd 10.121.11.0/24 172.16.0.0/24 any -P out none;
spdadd 10.121.11.0/24 172.16.0.0/24 any -P fwd none;
spdadd 10.121.11.0/24 10.121.11.0/24 any -P in none;
spdadd 10.121.11.0/24 10.121.11.0/24 any -P out none;
spdadd 10.121.11.0/24 10.121.11.0/24 any -P fwd none;

It doesn't work better even with high priority.

Is there another solution or syntax ?

Thanks





More information about the Users mailing list