[strongSwan] EAP-Radius setup not getting routes or passing traffic

C Babcock qoyagoogs at gmail.com
Mon Dec 5 18:30:14 CET 2016


Hi Noel,

Thank for the kind response.  Something happened when I copy/pasted.

This:

>        leftsubnet=172.21.0.0/23
>        leftsourceip=172.21.0.

Actually looks like this:

>        leftsubnet=172.21.0.0/23
>        leftsourceip=172.21.0.2

I dont know why the 2 got cut off.

I added this when I could get TS to accept.

> conn AWS-EAST-NAT1-IKE2-TUN
>         leftsubnet=%any

I will make the other changes you suggested.  Thanks.

CB

On Mon, Dec 5, 2016 at 5:46 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

> Hello Chris,
>
> On 05.12.2016 05:23, C Babcock wrote:
> > however I cant pass traffic to the server from the client and vice versa.
> That is because nearly every single setting in your configuration related
> to the TS is invalid.
>
> >        leftsubnet=172.21.0.0/23
> >        leftsourceip=172.21.0.
>
> First of all, you're assigning virtual IPs to the wrong side.
>
> Then the value of leftsourceip is invalid. It must be the subnet that you
> want to assign virtual IPs from.
> Do not set leftsubnet, if you already set leftsourceip. Vice versa for
> rightsubnet and rightsourceip.
>
> >         rightsubnet=%any
> That's invalid, too.
>
> > ip xfrm policy
> > src 0.0.0.0/32 dst 172.21.0.0/23
> >         dir fwd priority 2855 ptype main
> >         tmpl src 24.11.199.101 dst 172.30.5.161
> >                 proto esp reqid 2 mode tunnel
> > src 0.0.0.0/32 dst 172.21.0.0/23
> >         dir in priority 2855 ptype main
> >         tmpl src 24.11.199.101 dst 172.30.5.161
> >                 proto esp reqid 2 mode tunnel
> > src 172.21.0.0/23 dst 0.0.0.0/32
> >         dir out priority 2855 ptype main
> >         tmpl src 172.30.5.161 dst 24.11.199.101
> >                 proto esp reqid 2 mode tunnel
>
> Those nonsensical policies are the result of your invalid configuration.
>
> >
> > ip route show table 220
> > 0.0.0.0 via 172.30.5.1 dev eth0  proto static  src 172.21.0.2
>
> Result of the nonsensical policies.
>
> > conn AWS-EAST-NAT1-IKE2-TUN
> >         leftsubnet=%any
>
> Invalid setting. Don't set it when using leftsourceip (Unless you know
> what you're doing, which you obviously don't).
>
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161205/de4c2534/attachment.html>


More information about the Users mailing list