[strongSwan] Question about source route
S MK
sacho.polo at gmail.com
Wed Aug 21 00:28:43 CEST 2013
I am testing the strongswan android app with a strongswan gateway and see a
problem with the connection dropping after 3 minutes.
My setup is as follows
android-phone----WIFI========================LOAD-BALANCER------------------GATEWAY---------------
10.184.10.1(vip) 10.8.14.111 10.66.9.101
192.168.10.8 192.168.1.1
The Android phone connects via WIFI and creates an IPSEC tunnel to the
LOAD-BALANCER'S ip(10.66.9.101). This tunnel is forwarded to the
GATEWAY behind it. The GATEWAY is connected to the LB on the interface
192.168.10.8 and to the subnet behind it on the 192.168.1.1
interface.
The ipsec tunnel gets established fine and I am able to reach the subnet
behind the gateway. The connection however drops after 3 minues or so.
The connection is using IKEv2 using certs.
On debugging, I noticed that Strongwan on the gateway detects that there is
a NAT and tries to detect NAT mapping changes via DPD. The pkt that it
sends out however
has a source address of 192.168.1.1, which cannot reach the 10.8.14.111
address. It should have used the 192.168.10.8 address instead.
Due to this, the transfer times out after 5 retransmits and the connection
is torn down, after about 3 minutes.
I would expect the strongswan on the gateway to use 192.168.10.8 address as
the source to the right address of the tunnel and not 192.168.1.1 .
I checked the routing table 220 and it was empty.
This condition gets fixed if I explicitly add a route on the gateway to use
192.168.10.8.
I read that this was not required if I am using charon, which manages the
routes using NETKEY.
Another thing to mention is that i have replaced the updown script with my
own. Should the route management be done via the updown script?
The gateway is running 4.6.x version of strongswan.
Any help in resolving this issue would be appreciated.
regards,
smk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130820/f783a4e1/attachment.html>
More information about the Users
mailing list