[strongSwan] Routing problems with IPsec but not L2TP/IPsec
Patrick Shyvers
pshyvers at amitto.com
Thu Apr 17 07:20:44 CEST 2014
I'm trying to migrate from L2TP/IPsec to IPsec & IKE. L2TP/IPsec is working
with strongswan, and I can access both my private subnet & the public
internet through the VPN server. However, with IPsec & IKE I can only access
my private subnet. My client is usually behind NAT, but from the strongswan
documentation that should not be an issue.
When testing IPsec, I flush my firewall and set everything to ACCEPT. Then I
add the necessary POSTROUTING SNAT rule, which works fine with L2TP/IPsec.
So I am fairly confident it is not an iptables problem.
Establishing VPN connection is also not a problem, that goes over without a
hitch. So I am suspecting there is a routing problem, but the routing tables
are my biggest weakness on Linux, so I'm hoping I could get some thoughts
from the strongswan community. It might also have to do with routing that
happens inside strongswan- I'm still fuzzy on how much packet handling
strongswan does.
My interfaces are perhaps laid out unusually?
venet0 - 127.0.0.1
venet0:0 - <PUBLIC SERVER IP>
venet0:1 - <PRIVATE VLAN>
Ipsec.conf:
conn IKEv1-PSK-NAT
auto=add
left=<PUBLIC SERVER IP>
rightsourceip=10.1.0.1/23
rightsubnet=10.1.0.0/23
authby=xauthpsk
keyexchange=ikev1
leftcert=server.crt
leftsubnet=0.0.0.0/0
xauth=server
Iptables:
-A POSTROUTING -s 10.0.0.0/8 -o venet0 -m policy --dir out --pol ipsec -j
ACCEPT
-A POSTROUTING -s 10.0.0.0/8 -o venet0 -j SNAT --to-source <PUBLIC SERVER
IP>
# ip route list
<VLAN SUBNET> dev venet0 proto kernel scope link src <VLAN IP>
<ANOTHER VLAN> dev venet0 scope link metric 1002
default dev venet0 scope link
# ip route list table 220
10.1.0.2 via <CLIENT IP> dev venet0 proto static
-Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140416/fa6da75e/attachment.html>
More information about the Users
mailing list