[strongSwan] Inter-tunnel routing

Jeroen J.A.W. Hermans j.hermans at epsys.nl
Wed Jun 26 11:31:01 CEST 2013 

Dear all,

I have a question about a test-scenario i am setting up.
I have two tunnels:
"rw" - laptop with Shrewsoft VPN client
ip: 192.168.2.1/32
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.39)

"51" - Draytek Vigor 2910 (no pc's connected to Vigor yet)
ip-range: 192.168.51.1/24
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.38)

The central location is a linux server running Strongswan 5.0.0:
ip-range: 192.168.0.1/24
external ip: xxx.xxx.xxx.xxx

When i ping from the "51" Draytek (itself) to 192.168.0.1 (Strongswan) 
it works.
When i ping from the "rw" laptop to 192.168.0.1 (Strongswan) it works
When i ping from the "rw" laptop to 192.168.51.1 (tunnel "51") i get no 
reply
When i ping from the "51" Draytek to 192.168.2.1 (tunnel "rw") i get no 
reply

I have policies in the Draytek and Shrewsoft laptop for all subnets. 
This can be seen in the tcpdump, where the packets for the remote subnet 
of the other tunnel arrive at the Strongswan, but are not forwarded.
I have included as much information as possible. I hope someone can help 
me with this problem.
Thank you very much.
Kind regards,

Jeroen Hermans


*$ sudo ip route list table 220**
*192.168.2.1 via <first-hop-router> dev eth0  proto static src 192.168.0.1
192.168.51.0/24 via <first-hop-router> dev eth0  proto static src 
192.168.0.1

*$ sudo tcpdump -i eth0 not ip6 and not port 22 and not port domain**
*tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
/"rw" pings one time to 192.168.0.1/
11:11:40.410505 IP yyy.yyy.yyy.yyy.ipsec-nat-t > 
xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc8587ff2,seq=0x3), 
length 100
11:11:40.410572 IP 192.168.2.1 > 192.168.0.1: ICMP echo request, id 1, 
seq 234, length 40
11:11:40.410655 IP xxx.xxx.xxx.xxx.ipsec-nat-t > 
yyy.yyy.yyy.yyy.ipsec-nat-t: UDP-encap: ESP(spi=0xba5fa761,seq=0x3), 
length 100
/"rw" pings one time to 192.168/.51.1
11:11:43.377246 IP yyy.yyy.yyy.yyy.ipsec-nat-t > 
xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc04f2330,seq=0x2), 
length 100
11:11:43.377331 IP 192.168.2.1 > 192.168.51.1: ICMP echo request, id 1, 
seq 236, length 40
11:11:43.377367 IP 192.168.2.1 > 192.168.51.1: ICMP echo request, id 1, 
seq 236, length 40


*$ sudo ip xfrm policy**
*src 192.168.51.0/24 dst 192.168.0.0/24
         dir fwd priority 1859 ptype main
         tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                 proto esp reqid 393 mode tunnel
src 192.168.51.0/24 dst 192.168.0.0/24
         dir in priority 1859 ptype main
         tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                 proto esp reqid 393 mode tunnel
src 192.168.0.0/24 dst 192.168.51.0/24
         dir out priority 1859 ptype main
         tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
                 proto esp reqid 393 mode tunnel
src 192.168.2.1/32 dst 192.168.51.0/24
         dir fwd priority 1827 ptype main
         tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                 proto esp reqid 391 mode tunnel
src 192.168.2.1/32 dst 192.168.51.0/24
         dir in priority 1827 ptype main
         tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                 proto esp reqid 391 mode tunnel
src 192.168.51.0/24 dst 192.168.2.1/32
         dir out priority 1827 ptype main
         tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
                 proto esp reqid 391 mode tunnel
src 192.168.2.1/32 dst 192.168.0.0/24
         dir fwd priority 1827 ptype main
         tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                 proto esp reqid 390 mode tunnel
src 192.168.2.1/32 dst 192.168.0.0/24
         dir in priority 1827 ptype main
         tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                 proto esp reqid 390 mode tunnel
src 192.168.0.0/24 dst 192.168.2.1/32
         dir out priority 1827 ptype main
         tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
                 proto esp reqid 390 mode tunnel


*$ sudo iptables-save**
**filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [518:38392]
:OUTPUT ACCEPT [39692:7545269]
-A INPUT -p tcp -m tcp --dport 443:453 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o eth0 -p esp -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [34286:3954457]
:INPUT ACCEPT [33100:3886019]
:FORWARD ACCEPT [518:38392]
:OUTPUT ACCEPT [39696:7546309]
:POSTROUTING ACCEPT [40214:7584701]
COMMIT
*nat
:PREROUTING ACCEPT [1646:110154]
:POSTROUTING ACCEPT [2019:153411]
:OUTPUT ACCEPT [1961:146461]
COMMIT

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130626/68170934/attachment.html>

More information about the Users mailing list