[strongSwan] How to protect all traffic using strongswan?
Sarat Vajrapu
saratvajrapu1 at gmail.com
Mon Jul 25 11:55:24 CEST 2016
Hi Mirko,
Thanks for the reply.
I created loopback interface on each gateway and below is the required info:
GW_A:
****Config*****
conn ipsec-local
left=10.1.1.216
esp=aes128-sha256
conn ipsec-10.1.1.218
also=ipsec-local
leftauth=psk
right=10.1.1.218
rightauth=psk
keyexchange=ikev2
type=tunnel
auto=start
*****ifconfig lo:1****
lo:1 Link encap:Local Loopback
inet addr:*1.1.1.1* Mask:255.255.255.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
*****route -n*****
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 br_if
*2.2.2.2 10.1.1.218 255.255.255.255 UGH 0 0 0 br_if*
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br_if
10.1.1.218 10.1.1.218 255.255.255.255 UGH 0 0 0 br_if
GW_B:
****Config****
conn ipsec-local
left=10.1.1.218
esp=aes128-sha256
conn ipsec-10.1.1.216
also=ipsec-local
leftauth=psk
right=10.1.1.216
rightauth=psk
keyexchange=ikev2
type=tunnel
auto=start
****ifconfig lo:1****
lo:1 Link encap:Local Loopback
inet addr:*2.2.2.2* Mask:255.255.255.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
****route -n****
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 br_if
*1.1.1.1 10.1.1.216 255.255.255.255 UGH 0 0 0 br_if*
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br_if
10.1.1.216 10.1.1.216 255.255.255.255 UGH 0 0 0 br_if
Logs:
*****
****tcpdump -i br_if esp****
GW_A#ping 10.1.1.218
PING 10.1.1.218 (10.1.1.218) 56(84) bytes of data.
64 bytes from 10.1.1.218: icmp_seq=1 ttl=64 time=1.84 ms
64 bytes from 10.1.1.218: icmp_seq=2 ttl=64 time=0.629 ms
GW_B#tcpdump -i br_if esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br_if, link-type EN10MB (Ethernet), capture size 65535 bytes
00:19:01.098941 IP test.local > test-2.local: ESP(spi=0xc2511019,seq=0x1),
length 136
00:19:01.099243 IP test-2.local > test.local: ESP(spi=0xcd2a2bdb,seq=0x1),
length 136
00:19:02.099627 IP test.local > test-2.local: ESP(spi=0xc2511019,seq=0x2),
length 136
00:19:02.099888 IP test-2.local > test.local: ESP(spi=0xcd2a2bdb,seq=0x2),
length 136
GW_A#ping -I 1.1.1.1 2.2.2.2
PING 2.2.2.2 (2.2.2.2) from 1.1.1.1 : 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=1.42 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=0.257 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=0.271 ms
GW_B#tcpdump -i br_if esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br_if, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Regards,
Sarat
On Sat, Jul 23, 2016 at 4:11 PM, Mirko Parthey <mirko.parthey at web.de> wrote:
> On Tue, Jul 05, 2016 at 05:40:43PM +0530, Sarat Vajrapu wrote:
> > I am new to strongswan and trying to protect host-host traffic using
> ipsec
> > tunnel mode. However I observe that only the traffic between endpoints
> are
> > protected and not complete traffic.
> >
> > Topology:
> >
> > <<<<<LAN1>>>> ------- GW_A <---------- internet---------------> GW_B
> > -------------------- <<<<<LAN2>>>>>>
> >
> > [...]
> > Can you please help me with this - any config addition/any change in
> routing
> > table?
>
> Hi Sarat,
>
> Please show us your strongSwan config and gateway routing tables,
> if possible.
>
> Regards,
> Mirko
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160725/b0aff014/attachment.html>
More information about the Users
mailing list