[strongSwan] Issue configuring IPSec routes
edk
edk at cendatsys.com
Thu Sep 27 17:53:21 CEST 2012
We have an issue configuring Strongswan to a Cisco router.
The connection is made, but I'm not getting the routing correct. There
are multiple networks behind the router on the remote side (operated by
a vendor) and we need to snat the IP's we come from to match their
assigned range (so it routes back to us).
ipsec status shows the connection:
000 "vpn":
10.10.0.42/32===12.34.56.78[12.34.56.78]:47/0---12.34.56.80...78.56.34.12[78.56.34.12]:47/0===10.10.254.1/32;
erouted; eroute owner: #31
000 "vpn": newest ISAKMP SA: #29; newest IPsec SA: #31;
000
000 #31: "vpn" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2886s; newest IPSEC; eroute owner
000 #31: "vpn" esp.b3a4e070 at 78.56.34.12 (0 bytes)
esp.6405defd at 12.34.56.78 (1872 bytes, 1s ago); tunnel
000 #29: "vpn" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 81890s; newest ISAKMP
000
ip route show table 220
10.10.254.1 via 12.34.56.80 dev eth1 src 10.10.0.42
We need to get to segments 10.20.1.0, 10.20.5.0 and 10.20.6.0 and appear
to come from 10.10.2.2-254
The internal range we have is 10.1.0.0/32 (iptables snat?)
Here's the ipsec.conf, I did try multiple segments on the rightsubnet-
line, but they never ended up in table 220. I'm not sure I understand
how that route interacts with the normal routes.
config setup
plutodebug=control
# plutodebug=all
plutostart=yes
charondebug=none
charonstart=no
conn vpn
ikelifetime=86400s
keylife=3600s
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-md5-modp1024
esp=3des-md5
right=78.56.34.12
rightsubnet=10.10.254.1/32
rightprotoport=47/0
left=%defaultroute
leftsourceip=10.10.0.42
leftprotoport=47/0
leftfirewall=yes
auto=add
pfs=no
More information about the Users
mailing list