[strongSwan] gre over ipsec with double nat, default route for other side not going over tunnel
giandvd at gmail.com
Thu Feb 25 12:41:47 CET 2016
I've got 2 hosts both behind nat talking with gre over ipsec. This
works fine but the default route added by strongswan is wrong. why
could this be?
eth0 10.3.3.1 tun0
192.168.255.196/28 <===============================> 192.168.255.229/28
Behind NAT, public IP 188.8.131.52 Behind NAT, public IP 184.108.40.206
strongswan is adding this route on the left host
192.168.255.224 * 255.255.255.240 U 0 0 0 eth0
which is wrong, it should be using
192.168.255.224 10.3.3.2 255.255.255.240 UG 0 0 0 tun0
so that left can reach right through the far end of the tunnel
If I remove the route added by strongswan and add the second route, it works.
Config on the left host:
I added nat_traversal=yes in config setup, but no difference.
Also, why does it even work at all? I thought to use gre over ipsec
you had to use transport mode? Yet using tunnel mode I can see gre
packets on both sides, and multicast works.
More information about the Users