[strongSwan] Passthrough Connection

Christian Hanster christian-hanster at gmx.de
Wed Sep 2 22:34:25 CEST 2015


Hi all :) 

I'm having trouble to set up a simple ipsec connection with overlapping networks and a passthrough connection. Therefore my question is, if there is some open bug at the moment so that it cannot work.

My configuration: 
ipsec.conf (Client): 

config setup
	charonstart=yes

conn Router3
	keyexchange=ikev2
        right=185.48.118.115
        rightid=@serverside
        rightsubnet=10.1.0.0/16
	left=%any
        leftsubnet=10.1.13.0/24
        leftid=@router
	auto=start
        authby=secret
        ikelifetime=323s
        keylife=771s
        rekeymargin=151s
        keyingtries= 1
	leftfirewall=yes
	mobike=no

conn passthrough
        rightsubnet=10.1.13.0/24
        leftsubnet=10.1.13.0/24
        type=pass
        auto=route
	authby=never (There is no different if I write this line or not)

ipsec.conf (Server side) 

config setup
	# strictcrlpolicy=yes
	# uniqueids = no
	charonstart=yes
	plutostart=no

conn %default
	keyexchange=ikev2
        left=185.48.118.115
        leftid=@serverside
        leftsubnet=10.1.0.0/16
	right=%any
        auto=add
        authby=secret
        ikelifetime=41s
        keylife=89s
        rekeymargin=21s
	mobike=no
	esp=aes128-sha1-modp2048

conn Router3
	rightsubnet=10.1.13.0/24
        rightid=@router
	ikelifetime=323s
        keylife=771s
        rekeymargin=151s
	leftfirewall=yes

The connection will be set up but the clients behind the router in the subnet of 10.1.13.0/24 cannot connect to the router and therefore also not connecting to the other network. I also played around with leftsourceip for the client and lefthostaccess but both did not changed the situation. 

Here is the output of ipsec statusall: 
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-39-generic, x86_64):
  uptime: 22 minutes, since Sep 02 22:08:00 2015
  malloc: sbrk 2433024, mmap 0, used 418432, free 2014592
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 242
  loaded plugins: charon addrblock aes attr ccm cmac constraints ctr eap-identity gcm md4 openssl pkcs12 pkcs7 pkcs8 rc2 resolve test-vectors xcbc sha1 sha2 md5 pem pkcs1 random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  192.168.1.162
  10.1.13.1
  192.168.3.1
Connections:
     Router3:  %any...185.48.118.115  IKEv2
     Router3:   local:  [router] uses pre-shared key authentication
     Router3:   remote: [serverside] uses pre-shared key authentication
     Router3:   child:  10.1.13.0/24 === 10.1.0.0/16 TUNNEL
 passthrough:  %any...%any  IKEv2
 passthrough:   local:  uses public key authentication
 passthrough:   remote: uses public key authentication
 passthrough:   child:  10.1.13.0/24 === 10.1.13.0/24 PASS
Shunted Connections:
 passthrough:  10.1.13.0/24 === 10.1.13.0/24 PASS
Security Associations (1 up, 0 connecting):
     Router3[733]: ESTABLISHED 9 seconds ago, 192.168.1.162[router]…185.48.118.115[serverside]
     Router3[733]: IKEv2 SPIs: 05ffa0afc04432df_i* 5d4055a12121b030_r, pre-shared key reauthentication in 7 seconds
     Router3[733]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     Router3{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c9b05f98_i c1028cf3_o
     Router3{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes
     Router3{1}:   10.1.13.0/24 === 10.1.0.0/16 


If I compare that to the output from the test examples (https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html <https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html> and https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html <https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html>) they look nearly the same. But I actually cannot figure out why I cannot connect to 10.1.13.1

So is there a bug around or do I overlook something in my configuration. 

Thanks in advance! 

Kind regards
Christian 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150902/b92e8456/attachment.html>


More information about the Users mailing list