[strongSwan] packet forwarding between two strongSwan IPSEC tunnels

Frédéric Demers frederic.demers at ieee.org
Fri Oct 12 02:17:12 CEST 2012 

Hello all!

I am a bit of a newcomer when it comes to IPSEC and strongSwan.
After a few days of work, I have achieved great results in setting up IPSEC
tunnels but I am stalled lately trying to packet forward between the two
tunnels.

Here is my setup:

Network A: 192.168.1.0/29
contains a few hosts, a gateway 192.168.1.1 (Cisco RV0x2 router)
WAN interface of the gateway is 5.5.5.5. Its default gateway is a non
exsistant 5.5.5.1 (I wish to configure static routes)


Network B: 192.168.1.8/29
contains a few hosts, a gateway 192.168.1.9 (Cisco RV0x2 router)
WAN interface of the gateway is 5.5.5.6  Its default gateway is a non
exsistant 5.5.5.1 (I wish to configure static routes)

I have a RHEL server on the WAN at 5.5.5.3.   Its default gateway is also a
non exsistant 5.5.5.1 (I wish to configure static routes). WAN's network is
5.5.5.0/29.

This server has successfully established two IPSEC tunnels, one each to
5.5.5.5, and 5.5.5.6. The tunnels work great, traffic is decidedly
encrypted in either direction from/to 5.5.5.3 to/from hosts within
192.168.1.0/29 or hosts within 192.168.1.8/29.
First observation: IPSEC tunnels do not obtain a virtual IP address within
the local subnets (which I call left subnets for both of my connections)
Second observation: strongSwan seems to take care of routing, as my RHEL
server knows how to get to my left subnets without any entries in the route
table. This is great!
Third observation: iptables -L -n -v shows all chains empty of rules. Where
would the strongSwan iptables rules be kept?

I have turned on packet forwarding on the RHEL server at 5.5.5.3, and that
works well, but not through the tunnels.

Without any further config, left subnet A hosts cannot reach left subnet B
hosts through the 5.5.5.3 server, and vice versa.

When I setup a static route on A's gateway for 192.168.1.8/29 to 5.5.5.3
and a static route on B's gateway for 192.168.1.0/29 to 5.5.5.3, as well as
two routes on 5.5.5.3 (192.168.1.0/29 to 5.5.5.5 and 192.168.1.8/29 to
5.5.5.6), then the two left subnets can see each other, and packets are
aptly forwarded by 5.5.5.3, however, this setup bypasses my tunnels!
(confirmed with tcpdump on the WAN)

I have not found a way to force packet forwarding through the IPSEC
tunnels. I feel like the packet forwarding routes are not considering the
strongSwan established routes. I feel like there is a segragation between
the hosts's normal functions, which know how to get to either subnet
through the tunnels, and the host's packet forwarding features which do not
know how to forward packets through the tunnels. Without the 5.5.5.3's
static routes, the traffic across one left subnet to another gets rejected
by 5.5.5.3 as destination unreachable, even through clearly from 5.5.5.3, I
can reach in to either left subnets.

Would anyone have any idea?
Thank you kindly,

Frederic Demers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121011/8cc92515/attachment.html>

More information about the Users mailing list