[strongSwan] Ping Multicast over IPSec

Joyce LAMBERT joyce.lambert at netapsys.fr
Wed Jul 15 16:36:28 CEST 2015 

Thank

I added
reinject=ipsec1-ipsec2 (on forecaast.conf on ipsec1)
Konsole output Konsole output reinject=ipsec2-ipsec1 (on forecaast.conf 
on ipsec2)

And get the same result. Can't see multicast over the ipsec tunnel.





Le 15/07/2015 15:13, Noel Kuntze a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> You need to set charon.plugins.forecast.reinject to the conn name that you want to inject the packets into.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 15.07.2015 um 14:42 schrieb Joyce LAMBERT:
>> Hi all,
>>
>> I to get multicast workiing over IPsec.
>>
>> For this I have create one  test environnement with 3 virtu?al machines
>>
>> ipsec1 (10.0.1.2/24) <=> (10.0.1.1/24) Router (10.0.2.1) <=>  ipsec2 (10.0.2.2)
>>
>> Router is also connected to internet
>>
>> An Ipsec tunnel in up between Ipsec1 and Ipsec2
>>
>> I used a home compiled 5.3 version of Strongswan with forcast module Enable on debian 8.
>>
>> IPsec1 and Ipsec2 can ping themself. With TCPdump on router I see that traffic are ESP UDP-Encap
>>
>> Multicast IP are configure on right and left for the both IPSec server and forcast module loaded. But If I try to ping 224.0.0.5, packet go outside the tunnel without beeing encapsulated.
>> Do you find something wrong on my configuration file? or Something I forget to configure on ipsec virtual machine ?
>>
>> Thank you
>>
>> Configuration IPsec1:
>> ----------------------------
>> ipsec.conf:
>> Konsole output config setup
>> conn %default
>>        ikelifetime=60m
>>        keylife=20m
>>        rekeymargin=3m
>>        keyingtries=1
>>        authby=secret
>>        keyexchange=ikev2
>>        mobike=yes
>> Konsole output conn ipsec1-ipsec2
>>        left=10.0.1.2
>>        leftsubnet=224.0.0.0/4,10.0.1.2/32
>>        leftid=@ipsec1
>>        leftfirewall=yes
>>        right=10.0.2.2
>>        rightfirewall=yes
>>        rightsubnet=%dynamic,224.0.0.0/4,10.0.2.2/32
>>        rightid=@ipsec2
>>        auto=start
>>        rightfirewall=yes
>>        type=tunnel
>>        mark=%unique
>>        forceencaps=yes
>>
>> Konsole output /etc/strongswan.d/charon/forecast.conf
>> forecast {
>>       groups=224.0.0.1,224.0.0.5,224.0.0.6
>>       interface=eth0
>>       load = yes
>> }
>>
>> Configuration IPsec2:
>> ----------------------------
>> ipsec.conf:
>> config setup
>> conn %default
>>        ikelifetime=60m
>>        keylife=20m
>>        rekeymargin=3m
>>        keyingtries=1
>>        authby=secret
>>        keyexchange=ikev2
>>        mobike=yes
>> conn ipsec2-ipsec1
>>        left=10.0.2.2
>>        leftsubnet=224.0.0.0/4,10.0.2.2/32
>>        leftid=@ipsec1
>>        leftfirewall=yes
>>        right=10.0.1.2
>>        rightfirewall=yes
>>        rightsubnet=%dynamic,224.0.0.0/4,10.0.1.2/32
>>        rightid=@ipsec2
>>        auto=start
>>        rightfirewall=yes
>>        type=tunnel
>>        mark=%unique
>>        forceencaps=yes
>>
>> /etc/strongswan.d/charon/forecast.conf
>> forecast {
>>       groups=224.0.0.1,224.0.0.5,224.0.0.6
>>       interface=eth0
>>       load = yes
>> }
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVplxdAAoJEDg5KY9j7GZYpaoP/R6NLAuSRh4atWWoM+Ewx8Pr
> xHwddlFTXSnCZ4YYd+CBztrCbrYfEygha5U0ZuLGC3AJBPxd0Mbtc0pgLyJpz5gs
> nIik7+b5HG8SL0MaxQwsWFPCChuUVPKbRn0xMt6vAh/yYgKKXpTegN4eQHLuraSz
> CyPYSdvIx0g2u66cuCK/mFWjAkIFVJ4DwnFPawcryXE5zTqhH/6c+ItGXvzG2YTU
> o12geJUnJK8Ipo894COoJvHUzMWVYupKZWLOxXBtlYXsrLxfHnDB5xfE3niuCyx0
> 9blsejNa8YJLrVKJw7A+LNEExFpv8RiXOJ4svBnjAHFe7PSMSYh0oIkqoia+cD99
> 3vRlCribOg2pRRvpcIFR7Hf/xggAFvwhYq/mTBkqodPqZ8E8wiKBRn4H/hkWMZzd
> vDIABFSUTZR1Psd4K5B0PmBd7udl/Xt/HwRoAKJAe2LoOsxF/NRQJZPX3CMtCSRZ
> miYLsmMNf3NypkKHEVa/evVJf2nlsvtFDzICWW04KQlYM3uxUz23zw5NU9HWKc4C
> iI7WO1GsCcf7Tfsd+Y4+Nb9qaVcu86r2UhrIvvMy5U8NDdRzKVrhykUBHdvX+yDe
> 4qItv2qcOekmR9ybcPen5sttPNt8SJTmLoIseSBxU9lH/vFWtROK3/458yTkqSjN
> LQfmitIWpTFDpY1K6NHX
> =T01v
> -----END PGP SIGNATURE-----
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150715/d4ad1907/attachment.html>

More information about the Users mailing list