[strongSwan] Problem when forwarding all traffic to tunnel (site-to-site VPN)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Sun Sep 20 17:39:43 CEST 2015 

Hi

One workaround method i have been using in this scenario is to put the
route you have added into table 220 - the routing table referenced by
strongswan.
e,g:

ip route add 10.10.0.0/16 dev lan table 220

- i guess it should start working with the above route in table 220
- the route you have added (without table 220) is included in the main
routing table, which is correct, but is not referenced by strongswan
- this is a issue on a GW/peer, especially and only, when you have the
policy "leftsubnet=your-lan" and "rightsubnet=0.0.0.0/0"

But then again, iam no expert in strongswan...so you would please ask for
advice and correct solution from the strongswan team itself

thanks
rajiv



On Sun, Sep 20, 2015 at 8:08 PM, Rayson Zhu <vfreex at gmail.com> wrote:

> Hello all,
> The gateway of my local site has a site-to-site VPN to my remote site.  I
> want to forward all traffic (including internet traffic) from my local site
> to  remote site.
>
> The ipsec.conf in local gateway:
>
> conn %default
>
>         left=%any
>
>         leftcert=<>
>
>         leftid=<>
>
>         leftauth=pubkey
>
>         keyexchange=ikev2
>
> conn site-to-site
>
>         right=<remote_ip>
>
>         rightid=<>
>
>         rightauth=pubkey
>
>         leftsubnet=10.10.0.0/23
>
>         rightsubnet=0.0.0.0/0
>
>         auto=add
>
>
> After establishing the IPSec connection, the gateway can access to the
> internet through the tunnel, but at the same time the all hosts behind the
> gateway will lose connectivity to the gateway.
>
> That makes sense, because the config rule 'rightsubnet=0.0.0.0/0' tells
> IPSec to forward all traffic into tunnel, including the traffic to LAN. I
> added a passthrough policy like this:
>
> conn bypasslan
>
> leftsubnet=10.10.0.0/23
>
>         rightsubnet=10.10.0.0/23
>
>         type=passthrough
>
> auto=route
>
> But this policy does not work. Hosts in lan still cannot ping gateway.
>
> I decided to use traceroute to see what is going on. The result shows that
> the traffic to LAN goes to the WAN interface without IPSec protection. I
> checked the route table and every thing looks normal. I tried adding a
> route rule 'ip route add 10.10.0.0/16 dev lan' but this didn't work.
>
> I stop the IPSec tunnel, the connection between LAN hosts with the gateway
> comes back.
>
> I will be very appreciate it if you can help me solve this problem.
>
>
> Thanks & Regards,
>
> Rayson
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150920/560522e5/attachment.html>

More information about the Users mailing list