[strongSwan] site 2 site does not work ...

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 6 17:37:06 CEST 2012 

Hi,

a normal net2net connection should do the trick:

http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/

with

  left=3.3.3.123
  leftsubnet=3.3.3.0/22
  right=2.2.2.2
  rightsubnet=10.0.1.0/24

Just make sure that in the 10.0.1.0/24 network there is
a route to the 3.3.3.0/22 net via the [default] gateway
10.0.1.1 and in the 3.3.3.0/22 network a route exists
which directs traffic for the 10.0.1.0/24 network to
3.3.3.123.

If gateway 2.2.2.2 is NAT-ing traffic from the 10.10.1.0/24
network towards the Internet then you must exempt the traffic
to be tunneled from the NAT rule by inserting an IPsec
policy rule into your firewall:

iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \
            --dir out --pol ipsec --proto esp -j ACCEPT

iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE

assuming the 2.2.2.2 is eth0.

Best regards

Andreas

On 06/06/2012 02:41 PM, Dr.Peer-Joachim Koch wrote:
> Hi,
> 
> I'm trying to find out how build something like a
> side2side connection using strongswan.
> We have an external host with a private subnet (10.0.1.0/24).
> This subnet should be visible from the gw host and all
> hosts within the subnet of gw host.
> Here is an overview
> 
> 
>            external host
> 10.0.1.0/24 - 10.01.1     2.2.2.2
> 
> 
> 
>            gw host
>         3.3.3.0/22 - 3.3.3.123
> 
> 
> 
> So how can I make the external network accessaible
> from our network ?
> I did not find any example (or did not look at the right place ..).
> The host-host connection is working fine, but a ping into the external
> network does not reach the destination, but can be seen in the log of
> the external host. Therefore the routing (in both directions) seems to
> be the problem.
> 
> Any help would be welcome!

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list