[strongSwan] Moon Routing --- Net-Net Tunnel

Matthew Ferry [PITSDC] matthew.ferry at pitsdc.com
Wed Dec 3 18:00:10 CET 2014 

Folks,

I can't get a routing issue fixed on moon.
MOON has 2 NICs.
     ETH0 -- DHCP Client
     ETH1 -- Static (10.0.0.1/24)


The tunnel between SUN and MOON is up and working.
The issue is routing on MOON.

 From the SUN network I can access any server fine over the tunnel on 
the 10.0.0.0 network.
The servers on the 10.0.0.0 network can't access the 192.168.200.0 
network back here at SUN.

This was working in both directions TO I enabled IPTABLES FORWARDING on 
moon.
ETH0 on MOON is a path directly to the internet.

Servers on the 10.0.0.0 network behind MOON can surf the internet fine 
and MOON acts as default gateway.

THE PROBLEM --- When the traffic destination is for 192.168.200.0 it 
should route to the tunnel and NOT eth0.
All other outbound traffic should use the local ISP connection ETH0.

Has anyone setup this before???
Any ideas?

In the routing table below --- there is no ROUTE to the 192.168.200.0 
network ---- How can i add route, but say use TUNNEL not interface????


_*MOON IPTABLES*_

    [root at localhost ~]# iptables -L

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    [root at localhost ~]#



_*MOON IPSEC.CONF*_

    [root at localhost ~]# cat /etc/strongswan/ipsec.conf

    config setup

    conn %default
             ikelifetime=60m
             keylife=20m
             rekeymargin=3m
             keyingtries=1
             authby=secret
             keyexchange=ikev2
             mobike=no


    conn net-net
             leftsubnet=10.0.0.0/24
             leftid=@Site1
             leftfirewall=yes
             right=sun.domain.com
             rightsubnet=192.168.200.0/24
             rightid=@NOC
             auto=start

    [root at localhost ~]#


_*Moon Route Table*_

[root at localhost ~]# route

Kernel IP routing table
Destination                         Gateway Genmask                     
         Flags           Metric Ref    Use         Iface
192.168.201.128               * 255.255.255.128              U         
         0 0        0             eth0
10.0.0.0                               *       255.255.255.0           
        U                 0         0        0             eth1
link-local                              *         255.255.0.0         
               U                1002          0        0             eth0
link-local * 255.255.0.0                       U                1003 
0        0              eth1
default                                 192.168.201.254 0.0.0.0         
                        UG              0       0        0              eth0





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141203/b1f4323b/attachment.html>

More information about the Users mailing list