[strongSwan] Strongswan 4.5.1 sqlite database passthrough

CETIAD - Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Fri Jun 24 16:00:27 CEST 2011 

Hi,

Le 24/06/2011 11:00, Martin Willi a écrit :
> Hi,
>
>> Each gateway B subnets must reach all of gateway A subnets.
> Using IKEv2, you can simplify all-to-all subnets and use just a single
> connection:
>
>     leftsubnet=10.0.0.0/8,192.168.0.0/16,172.16.0.0.12
>     rightsubnet=10.21.11.0/24,172.16.0.0/24,10.121.11.0/24
>
I use Strongswan 4.5.1 with SQLite database.
Is it possible to do that with traffic_selectors ans peer_configs tables ?
>> As you can see, some gateway B subnets address are included in gateway
>> A subnets.
>
> Unfortunately, we currently don't support IP ranges.
In traffic_selectors table, fields to be filled are start_address and 
end_address but you mean it must be network and broadcast addresses ?
> Splitting this configuration into the correct subnets should be possible, but would require some dozen subnets.
Yes, it's a possibility. I hope this is not the only one.
>> It doesn't work better even with high priority.
> Please keep in mind that lower priority numbers actually have a higher
> priority. Have you tried a low priority number (1)?
I have tried with spdadd ..... prio high + 1, low + 1, high - 1, low - 1
I have also tried with ip xfrm policy add src 10.21.11.0/24 dst 
10.21.11.0/24 priority 1 and 0 dir in (out and fwd)

ip xfrm policy returns :
src 10.21.11.0/24 dst 10.21.11.0/24
     dir fwd priority 0
src 10.21.11.0/24 dst 10.21.11.0/24
     dir out priority 0
src 10.21.11.0/24 dst 10.21.11.0/24
     dir in priority 0
......
......
src 10.0.0.0/8 dst 10.21.11.0/24
     dir fwd priority 1923
     tmpl src 192.168.10.5 dst 192.168.10.10
         proto esp reqid 6 mode tunnel
src 10.0.0.0/8 dst 10.21.11.0/24
     dir in priority 1923
     tmpl src 192.168.10.5 dst 192.168.10.10
         proto esp reqid 6 mode tunnel
src 10.21.11.0/24 dst 10.0.0.0/8
     dir out priority 1923
     tmpl src 192.168.10.10 dst 192.168.10.5
         proto esp reqid 6 mode tunnel

ip route liste table 220 returns :
192.168.0.0/16 via 192.168.10.5 dev eth0  proto static  src 10.121.11.1
172.16.0.0/12 via 192.168.10.5 dev eth0  proto static  src 10.121.11.1
10.0.0.0/8 via 192.168.10.5 dev eth0  proto static  src 10.121.11.1

After ip route del table 220 10.0.0.0/8 via 192.168.10.5, ping on 
10.21.11.1 is possible with a station 10.21.11.5 but it's not the solution.
How can we have route exception ?
> Regards
> Martin
>
Best regards
Fabrice

More information about the Users mailing list