[strongSwan] Ping is not working after establishing a tunnel in strongswan
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Mon Apr 16 15:25:23 CEST 2012
Hi Tobias,
Thanks for your nice reply. I get back on you for further doubts on this.
Regards,
Saravanan N
On Mon, Apr 16, 2012 at 2:50 PM, Tobias Brunner <tobias at strongswan.org>wrote:
> Hi Saravanan,
>
> > I have established a VPN tunnel between GW and VPN server using
> > Strongswan.
>
> Is the tunnel between those two hosts intended as host-host tunnel or as
> host-net tunnel? What did you configure for left|rightsubnet?
>
> If your SPD entries are any indication it seems you configured
> rightsubnet=0.0.0.0/0 on GW. That is, you end up with this outbound
> IPsec policy:
>
> > 50.1.1.239[any] 0.0.0.0/0[any] any
> > out prio high + 1073739901 ipsec
> > ...
>
> Which means that any packet leaving the host with a source address of
> 50.1.1.239 will be sent into this tunnel.
> Now you'd assume that this won't apply for a ping sent from
> 172.31.114.230 to 172.31.114.231, but if you are using IKEv2 a source
> route is installed which will force 50.1.1.239 as source for any packets
> sent from GW (i.e. also for the ICMP replies). This route is installed
> in routing table 220 by default (which is created with a priority of
> 220). The table and/or priority can be changed with the
> charon.routing_table and charon.routing_table_prio strongswan.conf
> options, respectively (or with the respective ./configure arguments).
> To prevent the daemon from installing these routes altogether you can
> set charon.install_routes=no in strongswan.conf.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120416/fa4cc3e6/attachment.html>
More information about the Users
mailing list