[strongSwan] site 2 site does not work ...

Dr.Peer-Joachim Koch pkoch at bgc-jena.mpg.de
Tue Jun 12 14:52:48 CEST 2012 

Hi,

everything is working now. But there are two problems
I do not undestand:

1) I'll have to ping from 10.0.1.X one time into the other
offical net to start the tunnel. If I ping in the other direction 
nothing happens ....

2) After the tunnel is up I can ping (ssh,...) into the 10.0.1.-net
from all other computer (routing is working fine) - but only for 60sec!

Then it stopped -"destination unreachable ...

Any idea ?

Bye, Peer

Am 06.06.2012 17:37, schrieb Andreas Steffen:
> Hi,
>
> a normal net2net connection should do the trick:
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
>
> with
>
>    left=3.3.3.123
>    leftsubnet=3.3.3.0/22
>    right=2.2.2.2
>    rightsubnet=10.0.1.0/24
>
> Just make sure that in the 10.0.1.0/24 network there is
> a route to the 3.3.3.0/22 net via the [default] gateway
> 10.0.1.1 and in the 3.3.3.0/22 network a route exists
> which directs traffic for the 10.0.1.0/24 network to
> 3.3.3.123.
>
> If gateway 2.2.2.2 is NAT-ing traffic from the 10.10.1.0/24
> network towards the Internet then you must exempt the traffic
> to be tunneled from the NAT rule by inserting an IPsec
> policy rule into your firewall:
>
> iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \
>              --dir out --pol ipsec --proto esp -j ACCEPT
>
> iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE
>
> assuming the 2.2.2.2 is eth0.
>
> Best regards
>
> Andreas
>
> On 06/06/2012 02:41 PM, Dr.Peer-Joachim Koch wrote:
>> Hi,
>>
>> I'm trying to find out how build something like a
>> side2side connection using strongswan.
>> We have an external host with a private subnet (10.0.1.0/24).
>> This subnet should be visible from the gw host and all
>> hosts within the subnet of gw host.
>> Here is an overview
>>
>>
>>             external host
>> 10.0.1.0/24 - 10.01.1     2.2.2.2
>>
>>
>>
>>             gw host
>>          3.3.3.0/22 - 3.3.3.123
>>
>>
>>
>> So how can I make the external network accessaible
>> from our network ?
>> I did not find any example (or did not look at the right place ..).
>> The host-host connection is working fine, but a ping into the external
>> network does not reach the destination, but can be seen in the log of
>> the external host. Therefore the routing (in both directions) seems to
>> be the problem.
>>
>> Any help would be welcome!
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==


-- 
Mit freundlichem Gruß
     Peer-Joachim Koch
_________________________________________________________
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkoch.vcf
Type: text/x-vcard
Size: 291 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120612/7c33485f/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4599 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120612/7c33485f/attachment.bin>

More information about the Users mailing list