[strongSwan] site 2 site does not work ...

Dr.Peer-Joachim Koch pkoch at bgc-jena.mpg.de
Thu Jun 7 15:01:57 CEST 2012


Hi,

many thanks for the help.
 From 3.3.3.123 I can ping now into the subnet.
What has to be done to connect all hosts
from 3.3.3.0/24 <-> 10.0.1.0/24 ?
I've enabled ip forwarding at 3.3.3.123
and tried it on another host setting a static route
for the network 10.0.1.0 pointing to 3.3.3.123.
traceroute shows that all packages are reaching
the "router", but seemed not to be routed ...

Any idea ?

Bye, Peer


Am 06.06.2012 17:53, schrieb Andreas Steffen:
> Oops, I forget to add the nat table:
>
> iptables -t nat -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \
>                  --dir out --pol ipsec --proto esp -j ACCEPT
>
> iptables -t nat -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE
>
> Andreas
>
> On 06/06/2012 05:37 PM, Andreas Steffen wrote:
>> Hi,
>>
>> a normal net2net connection should do the trick:
>>
>> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
>>
>> with
>>
>>    left=3.3.3.123
>>    leftsubnet=3.3.3.0/22
>>    right=2.2.2.2
>>    rightsubnet=10.0.1.0/24
>>
>> Just make sure that in the 10.0.1.0/24 network there is
>> a route to the 3.3.3.0/22 net via the [default] gateway
>> 10.0.1.1 and in the 3.3.3.0/22 network a route exists
>> which directs traffic for the 10.0.1.0/24 network to
>> 3.3.3.123.
>>
>> If gateway 2.2.2.2 is NAT-ing traffic from the 10.10.1.0/24
>> network towards the Internet then you must exempt the traffic
>> to be tunneled from the NAT rule by inserting an IPsec
>> policy rule into your firewall:
>>
>> iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \
>>              --dir out --pol ipsec --proto esp -j ACCEPT
>>
>> iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE
>>
>> assuming the 2.2.2.2 is eth0.
>>
>> Best regards
>>
>> Andreas
>>
>> On 06/06/2012 02:41 PM, Dr.Peer-Joachim Koch wrote:
>>> Hi,
>>>
>>> I'm trying to find out how build something like a
>>> side2side connection using strongswan.
>>> We have an external host with a private subnet (10.0.1.0/24).
>>> This subnet should be visible from the gw host and all
>>> hosts within the subnet of gw host.
>>> Here is an overview
>>>
>>>
>>>             external host
>>> 10.0.1.0/24 - 10.01.1     2.2.2.2
>>>
>>>
>>>
>>>             gw host
>>>          3.3.3.0/22 - 3.3.3.123
>>>
>>>
>>>
>>> So how can I make the external network accessaible
>>> from our network ?
>>> I did not find any example (or did not look at the right place ..).
>>> The host-host connection is working fine, but a ping into the external
>>> network does not reach the destination, but can be seen in the log of
>>> the external host. Therefore the routing (in both directions) seems to
>>> be the problem.
>>>
>>> Any help would be welcome!
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>
>


-- 
Mit freundlichem Gruß
     Peer-Joachim Koch
_________________________________________________________
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkoch.vcf
Type: text/x-vcard
Size: 291 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120607/ba259f4c/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4599 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120607/ba259f4c/attachment.bin>


More information about the Users mailing list