[strongSwan] Passthrough Connection
Christian Hanster
christian-hanster at gmx.de
Wed Sep 2 22:34:25 CEST 2015
Hi all :)
I'm having trouble to set up a simple ipsec connection with overlapping networks and a passthrough connection. Therefore my question is, if there is some open bug at the moment so that it cannot work.
My configuration:
ipsec.conf (Client):
config setup
charonstart=yes
conn Router3
keyexchange=ikev2
right=185.48.118.115
rightid=@serverside
rightsubnet=10.1.0.0/16
left=%any
leftsubnet=10.1.13.0/24
leftid=@router
auto=start
authby=secret
ikelifetime=323s
keylife=771s
rekeymargin=151s
keyingtries= 1
leftfirewall=yes
mobike=no
conn passthrough
rightsubnet=10.1.13.0/24
leftsubnet=10.1.13.0/24
type=pass
auto=route
authby=never (There is no different if I write this line or not)
ipsec.conf (Server side)
config setup
# strictcrlpolicy=yes
# uniqueids = no
charonstart=yes
plutostart=no
conn %default
keyexchange=ikev2
left=185.48.118.115
leftid=@serverside
leftsubnet=10.1.0.0/16
right=%any
auto=add
authby=secret
ikelifetime=41s
keylife=89s
rekeymargin=21s
mobike=no
esp=aes128-sha1-modp2048
conn Router3
rightsubnet=10.1.13.0/24
rightid=@router
ikelifetime=323s
keylife=771s
rekeymargin=151s
leftfirewall=yes
The connection will be set up but the clients behind the router in the subnet of 10.1.13.0/24 cannot connect to the router and therefore also not connecting to the other network. I also played around with leftsourceip for the client and lefthostaccess but both did not changed the situation.
Here is the output of ipsec statusall:
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-39-generic, x86_64):
uptime: 22 minutes, since Sep 02 22:08:00 2015
malloc: sbrk 2433024, mmap 0, used 418432, free 2014592
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 242
loaded plugins: charon addrblock aes attr ccm cmac constraints ctr eap-identity gcm md4 openssl pkcs12 pkcs7 pkcs8 rc2 resolve test-vectors xcbc sha1 sha2 md5 pem pkcs1 random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.1.162
10.1.13.1
192.168.3.1
Connections:
Router3: %any...185.48.118.115 IKEv2
Router3: local: [router] uses pre-shared key authentication
Router3: remote: [serverside] uses pre-shared key authentication
Router3: child: 10.1.13.0/24 === 10.1.0.0/16 TUNNEL
passthrough: %any...%any IKEv2
passthrough: local: uses public key authentication
passthrough: remote: uses public key authentication
passthrough: child: 10.1.13.0/24 === 10.1.13.0/24 PASS
Shunted Connections:
passthrough: 10.1.13.0/24 === 10.1.13.0/24 PASS
Security Associations (1 up, 0 connecting):
Router3[733]: ESTABLISHED 9 seconds ago, 192.168.1.162[router]…185.48.118.115[serverside]
Router3[733]: IKEv2 SPIs: 05ffa0afc04432df_i* 5d4055a12121b030_r, pre-shared key reauthentication in 7 seconds
Router3[733]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Router3{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c9b05f98_i c1028cf3_o
Router3{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes
Router3{1}: 10.1.13.0/24 === 10.1.0.0/16
If I compare that to the output from the test examples (https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html <https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html> and https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html <https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html>) they look nearly the same. But I actually cannot figure out why I cannot connect to 10.1.13.1
So is there a bug around or do I overlook something in my configuration.
Thanks in advance!
Kind regards
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150902/b92e8456/attachment.html>
More information about the Users
mailing list