[strongSwan] Routing problems with IPsec but not L2TP/IPsec
pshyvers at amitto.com
Thu Apr 17 07:20:44 CEST 2014
I'm trying to migrate from L2TP/IPsec to IPsec & IKE. L2TP/IPsec is working
with strongswan, and I can access both my private subnet & the public
internet through the VPN server. However, with IPsec & IKE I can only access
my private subnet. My client is usually behind NAT, but from the strongswan
documentation that should not be an issue.
When testing IPsec, I flush my firewall and set everything to ACCEPT. Then I
add the necessary POSTROUTING SNAT rule, which works fine with L2TP/IPsec.
So I am fairly confident it is not an iptables problem.
Establishing VPN connection is also not a problem, that goes over without a
hitch. So I am suspecting there is a routing problem, but the routing tables
are my biggest weakness on Linux, so I'm hoping I could get some thoughts
from the strongswan community. It might also have to do with routing that
happens inside strongswan- I'm still fuzzy on how much packet handling
My interfaces are perhaps laid out unusually?
venet0 - 127.0.0.1
venet0:0 - <PUBLIC SERVER IP>
venet0:1 - <PRIVATE VLAN>
left=<PUBLIC SERVER IP>
-A POSTROUTING -s 10.0.0.0/8 -o venet0 -m policy --dir out --pol ipsec -j
-A POSTROUTING -s 10.0.0.0/8 -o venet0 -j SNAT --to-source <PUBLIC SERVER
# ip route list
<VLAN SUBNET> dev venet0 proto kernel scope link src <VLAN IP>
<ANOTHER VLAN> dev venet0 scope link metric 1002
default dev venet0 scope link
# ip route list table 220
10.1.0.2 via <CLIENT IP> dev venet0 proto static
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users