[strongSwan] EAP-Radius setup not getting routes or passing traffic

Noel Kuntze noel at familie-kuntze.de
Mon Dec 5 12:46:06 CET 2016


Hello Chris,

On 05.12.2016 05:23, C Babcock wrote:
> however I cant pass traffic to the server from the client and vice versa. 
That is because nearly every single setting in your configuration related to the TS is invalid.

>        leftsubnet=172.21.0.0/23
>        leftsourceip=172.21.0.

First of all, you're assigning virtual IPs to the wrong side.

Then the value of leftsourceip is invalid. It must be the subnet that you want to assign virtual IPs from.
Do not set leftsubnet, if you already set leftsourceip. Vice versa for rightsubnet and rightsourceip.

>         rightsubnet=%any
That's invalid, too.

> ip xfrm policy
> src 0.0.0.0/32 dst 172.21.0.0/23
>         dir fwd priority 2855 ptype main
>         tmpl src 24.11.199.101 dst 172.30.5.161
>                 proto esp reqid 2 mode tunnel
> src 0.0.0.0/32 dst 172.21.0.0/23
>         dir in priority 2855 ptype main
>         tmpl src 24.11.199.101 dst 172.30.5.161
>                 proto esp reqid 2 mode tunnel
> src 172.21.0.0/23 dst 0.0.0.0/32
>         dir out priority 2855 ptype main
>         tmpl src 172.30.5.161 dst 24.11.199.101
>                 proto esp reqid 2 mode tunnel

Those nonsensical policies are the result of your invalid configuration.

> 
> ip route show table 220
> 0.0.0.0 via 172.30.5.1 dev eth0  proto static  src 172.21.0.2

Result of the nonsensical policies.

> conn AWS-EAST-NAT1-IKE2-TUN
>         leftsubnet=%any

Invalid setting. Don't set it when using leftsourceip (Unless you know what you're doing, which you obviously don't).



-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161205/2ce13281/attachment.sig>


More information about the Users mailing list