[strongSwan] Strongswan routing
Martin Willi
martin at strongswan.org
Wed Nov 26 14:15:57 CET 2014
Hi,
> conn host_alice
> left=192.168.0.2
> right=10.1.0.10
> rightsubnet=10.1.0.10/32
> conn s2s_sun_moon
> left=192.168.0.2
> leftsubnet=10.2.0.0/16
> right=192.168.0.1
> rightsubnet=10.1.0.0/16
So if I understand correctly, you are trying to establish an IPsec
tunnel over an existing IPsec tunnel? Should host_alice create another
inner tunnel over s2s_sun_moon?
I don't think that will work. strongSwan installs bypass policies for
IKE traffic, as it never should be sent over the tunnel it manages. But
this also implies that your IKE traffic can't use a different tunnel.
Beside other difficulties, you'd need another mechanism to bypass IKE
policies, specific for a tunnel. Probably not that trivial, and not
supported by strongSwan. You currently can't terminate an inner and an
outer tunnel on the same box (kernel) with strongSwan.
> What we then noticed is that if Alice now tries to establish a IKE
> connection to sun alice receives no response from sun. On further
> investigation we noticed that sun is sending ARP requests requesting
> the MAC adddress for IP 10.1.0.10.
Most likely because the IPsec policy is bypassed, because it is IKE
traffic. The kernel then thinks the network is local, which it is not.
> 2. For what use cases do routes need to be installed, considering the
> fact that the security policies in the kernel already "route" traffic
> destined for the peer's network to the peer's IPsec gateway? (In the
> case of site-to-site setups)
Please refer to my last reply regarding this topic [1].
> 3. Strongswan 5.0.4 did not install any routes but 5.2.0 does. Is there
> a difference in default behaviour or implementation between these two
> versions that would make the latter install routes and the former not?
Route installation with kernel-pfroute was implemented for 5.1.0 to
support scenarios using virtual IPs. It was not supported in 5.0.4; you
may disable the installation of routes with the install_routes option,
though.
Regards
Martin
[1]https://lists.strongswan.org/pipermail/users/2014-November/006948.html
More information about the Users
mailing list