[strongSwan] Problem with tunnel from a /24 to a /32 network
Tobias Brunner
tobias at strongswan.org
Fri Oct 16 15:45:53 CEST 2015
Hi Steffen,
> ------------------------------------
> NET/24-TO-NET/32 PC01 <--> PC02 ping
> ------------------------------------
> ping 10.20.10.2
> PING 10.20.10.2 (10.20.10.2) 56(84) bytes of data.
> From 10.10.10.1 icmp_seq=1 Destination Net Unreachable
> From 10.10.10.1 icmp_seq=2 Destination Net Unreachable
>
> We are trying for days now with no success.
>
> Is there something we are missing or something we messed up?
strongSwan will install a route in routing table 220 for each IPsec SA,
but only if it finds a local address that's part of the local traffic
selector. So if you have leftsubnet=10.10.10.0/24 in your config the
daemon finds 10.10.10.1 and installs a route to 10.20.10.0/24 with that
IP address set as source address. However, if you configure
leftsubnet=10.10.10.2/32 then 10.10.10.1 is not contained in the traffic
selector and no route will be installed. So if the host does not
already have a route to 10.20.10.0/24 (or a default route) it won't
forward the packets to 10.20.10.2.
Regards,
Tobias
More information about the Users
mailing list