[strongSwan] gre over ipsec with double nat, default route for other side not going over tunnel
Davide Gianino
giandvd at gmail.com
Thu Feb 25 12:41:47 CET 2016
I've got 2 hosts both behind nat talking with gre over ipsec. This
works fine but the default route added by strongswan is wrong. why
could this be?
eth0 10.3.3.1 tun0
10.3.3.2 eth0
192.168.255.196/28 <===============================> 192.168.255.229/28
Behind NAT, public IP 1.1.1.1 Behind NAT, public IP 2.2.2.2
strongswan is adding this route on the left host
192.168.255.224 * 255.255.255.240 U 0 0 0 eth0
which is wrong, it should be using
192.168.255.224 10.3.3.2 255.255.255.240 UG 0 0 0 tun0
so that left can reach right through the far end of the tunnel
If I remove the route added by strongswan and add the second route, it works.
Config on the left host:
conn tunnel-1
left=192.168.255.196
leftid=1.1.1.1
right=2.2.2.2
leftsubnet=192.168.255.192/28
rightsubnet=192.168.255.224/28
leftsourceip=192.168.255.196
leftprotoport=gre
rightprotoport=gre
ike=aes128-sha1!
keyexchange=ikev1
ikelifetime=28800s
esp=aes128-sha1!
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
compress=no
authby=secret
auto=start
keyingtries=%forever
right host:
conn tunnel-2
left=192.168.255.229
leftid=2.2.2.2
right=1.1.1.1
leftsubnet=192.168.255.224/28
rightsubnet=192.168.255.192/28
leftsourceip=192.168.255.229
leftprotoport=gre
rightprotoport=gre
ike=aes128-sha1!
keyexchange=ikev1
ikelifetime=28800s
esp=aes128-sha1!
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
compress=no
authby=secret
auto=start
keyingtries=%forever
I added nat_traversal=yes in config setup, but no difference.
Also, why does it even work at all? I thought to use gre over ipsec
you had to use transport mode? Yet using tunnel mode I can see gre
packets on both sides, and multicast works.
Thanks.
More information about the Users
mailing list