[strongSwan] Traffic in a Hub and Spoke setup not forwarded

Martin Sand dborn at gmx.net
Fri Feb 24 23:49:31 CET 2017 

Hi all

After some time I began to investigate again.
I think the problem is that my strongSwan router is behind a modem 
(another router) which I cannot set to bridge modus.
The modem is NATing the traffic.

Routing table 220 shows the problem.
The traffic is sent to the modem (192.168.0.1), connected to the 
internet and my strongSwan vpn router (192.168.2.1).
The modem is also the default gateway.

root at OpenWrt:~# ip route show table 220
192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
192.168.3.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1

I tried to get around the problem by setting the via route to the 
external IP of my modem (134.100.110.120).
But this does not work:

root at OpenWrt:~# ip r c table 220 192.168.1.0/24 via 134.100.110.120 dev 
eth0 proto static src 192.168.2.1
RTNETLINK answers: Network is unreachable

Any ideas on how to solve the issue?

Best regards
Martin

On 11/08/2016 08:46 PM, Martin Sand wrote:
> Hi all
>
> I have a Hub and Spoke setup:
> * Central server 192.168.0.1
> * Router 1: 192.168.1.1
> * Router 2: 192.168.2.1
>
> I cannot reach the computers on the other side of the network although 
> tunnel is established.
> Do I miss an iptable or route information?
>
> Output from 192.168.1.100 when trying to reach a computer on the other 
> network (192.168.2.100):
> [user at workstation ~]$ tracepath 192.168.2.100
>  1?: [LOCALHOST]                                         pmtu 1500
>  1:  router-1                                     0.475ms
>  1:  router-1                                     0.445ms
>  2:  no reply
>
> Output of route on Router 1 (192.168.1.1):
> 192.168.2.0/24 via 80.10.10.1 dev eth0  proto static  src 192.168.1.1
>
> Output of route on Router 2 (192.168.2.1):
> 192.168.1.0/24 via 192.168.0.1 dev eth0  proto static  src 192.168.2.1
>
> Any ideas on what is going wrong? Maybe because one router shows the 
> external IP of the Hub instead of the internal one?
>
> Best regards
> Martin
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170224/88099cb6/attachment.html>

More information about the Users mailing list