[strongSwan] Tunnel issues

Zhuyj mounter625 at 163.com
Tue Jul 7 03:43:32 CEST 2015


Do you remove this default route and add several specific routes?

发自我的 iPhone

> 在 2015年7月7日,9:17,Philip L Hutson <philip at plh9.com> 写道:
> 
> I tried 220 and 0 (for the primary table). Neither overwrote of had a higher priority than the default route that was in the table already.
> -Philip
> 
>> On Jul 6, 2015, at 6:01 PM, Zhuyj <mounter625 at 163.com> wrote:
>> 
>> table 220 work
>> 
>> 
>> 发自我的 iPhone
>> 
>>> 在 2015年7月7日,8:36,Philip L Hutson <philip at plh9.com> 写道:
>>> 
>>> I am trying to setup a vpn tunnel from an embedded linux system (Linux system-0004338 2.6.37 #7 Mon Jun 22 14:45:53 PDT 2015 armv7l GNU/Linux) to a cisco asa. I have a working solution but not the preferred one. 
>>> One of my first problems was when I let strong swan add the routes it didn’t over write the default route so no traffic would go through. I was able to solve this by using the an up/down script. But I would prefer that strong swan added/removed the routes. 
>>> The routes it added looked like this
>>>  ip route
>>> 10.255.254.180/30 dev usb1  src 10.255.254.180 
>>> 0.0.0.0/1 via 10.255.254.181 dev usb1  src 10.3.10.18 
>>> 128.0.0.0/1 via 10.255.254.181 dev usb1  src 10.3.10.18 
>>> default via 10.255.254.181 dev usb1 
>>> 
>>> where the default route at the bottom was there already.
>>> The route table before was
>>>  ip route
>>> 10.255.254.180/30 dev usb1  src 10.255.254.180 
>>> default via 10.255.254.181 dev usb1 
>>> 
>>> The second issue is with the system time fix plugin. After the device gets a valid time from ntp over the tunnel it invalidates the client sa. 
>>> time fix config 
>>> system time fix
>>> LOGFILE showing the sa being invalidated
>>> 
>>> 
>>> The configuration I would like is where if usb1 goes up (after having been up before) strong swan reconnects the tunnel. Currently if usb1 goes down (for longer than dpd) and then comes up again and the dhcp client gets/assigns an address to usb1 strong swan does not reconnect the tunnel. If I use ipsec up home it comes back up.
>>> My current working ipsec.conf
>>> charon.conf
>>> updown script
>>> 
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150707/9ed2f0d2/attachment.html>


More information about the Users mailing list