[strongSwan] Please help: Cannot route (statically) through the Strongswan tunnel

Răzvan Sandu razvan.sandu at mobexpert.ro
Fri Oct 4 15:37:05 CEST 2013 

Pe 04.10.2013 13:04, Martin Willi a scris:

> If you want to tunnel all the subnets, use something like:
>
>     leftsubnet=192.168.1.0/24,10.2.1.0/24,10.3.1.0/24
>     rightsubnet=10.1.0.0/24,192.168.23.0/24,192.168.24.0/24
>

Thanks, the first part seems solved.  :)

The internal routers don't do NAT. By including the other LANs in 
leftsubnet= and rightsubnet=, I've managed to ping each other 
(10.2.1.0/24 and 10.3.1.0/24 to 192.168.23.0/24 and 192.168.24.0/24 and 
reverse).


> Also, what's the reason to include the gateways external address in the
> IPsec policy? This is usually not needed, unless the clients/gateways
> use IPsec secured services reachable on the external gateway interface.


If I *take out* the external gateway addresses from leftsubnet= and 
rightsubnet= and then restart strongswan, the tunnel goes to ESTABLISHED 
state, but I can't ping over it (not even using ping -I)

Now ipsec.conf on left looks like:

conn whatever
         left=82.73.46.12
         leftsubnet=192.168.1.0/24,10.2.1.0/24,10.3.1.0/24
         leftid=@left.example.com
         leftfirewall=yes
         right=140.5.12.76
         rightsubnet=10.1.1.0/24,192.168.23.0/24,192.168.24.0/24
         rightid=@right.example.com
         auto=start

and strongswan status says:

[root at left ~]# strongswan status
Security Associations (1 up, 0 connecting):
  whatever[1]: ESTABLISHED 15 minutes ago, 
82.73.46.12[left.example.com]...140.5.12.76[right.example.com]
  whatever{1}:  INSTALLED, TUNNEL, ESP SPIs: ce0dd024_i c81d5dc7_o
  whatever{1}:  192.168.1.0/24,10.2.1.0/24,10.3.1.0/24
=== 10.1.1.0/24,192.168.23.0/24,192.168.24.0/24


But:

[root at backbone1 ~]# ping -I 192.168.1.1 10.1.1.1

gives no response.

Maybe is a firewall problem. As the firewall is Shorewall 
(http://www.shorewall.net) and I have a line:

ipsec   net     140.5.12.76

in the /etc/shorewall/tunnels file on left.example.com and the 
corresponding one on right.example.com


Any idea ?


Thanks,
Răzvan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: razvan_sandu.vcf
Type: text/x-vcard
Size: 425 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131004/9999eadc/attachment.vcf>

More information about the Users mailing list