[strongSwan] routing confusion / config check
Vincent Gatignol
vincent.gatignol at braincube.com
Wed Mar 15 11:34:09 CET 2017
Hi list,
I have a running config that must be updated because some of the routing is not working.
The remote site is not managed by us so we can't easily change its configuration (but it may not be necessary thought).
As of today, from the local server (10.15.130.5), we can ping the remote site, but we can't ping the local machines (10.15.130.254 for example).
>From the local network (say 10.15.130.2), we can ping the remote side when a gateway is set to the local vpn server (10.15.130.5).
>From another local network (10.20.0.0/24, out of the remote network range) I can ssh to the local vpn host (the gateway 10.15.130.254 is working fine)
Note that the remote use a 10.0.0.0/12 network that overlap our network side (10.15.130.0/24). I tried to set up an exclusion with "virtual_private".
This is driving me nut !
Could someone have a look at this configuration and spot the mistake we made ?
I can't understand how this could work now (can't ping the gateway but the traffic is going thru, can't ping same network hosts), also I don't know why the ip xfrm policy show 4 times the same 0.0.0.0 rules
Here are the details of the actual setup, and again any help appreciated !
---
Linux Openswan U2.6.49/K3.2.0-4-amd64 (netkey)
Debian 3.2.68-1+deb7u3 x86_64 GNU/Linux
---
config setup
nat_traversal=yes
protostack=netkey
interfaces=%defaultroute
oe=off
# we exclude our local network from being routed through the tunnel
virtual_private=%v4:10.0.0.0/12,%v4:!10.15.130.0/24
conn mypeer
type=tunnel
compress=yes
aggrmode=no
authby=secret
forceencaps=yes
ikev2=no
ike=aes256-sha1
ikelifetime=24h
keylife=1h
pfs=yes
dpddelay=0
dpdtimeout=0
auto=start
left=10.15.130.5
leftsourceip=10.15.130.5
leftsubnet=10.15.130.0/24
right=<remote_public_ip>
rightsourceip=<remote_public_ip>
rightsubnet=10.0.0.0/12
---
ip route show
default via 10.15.130.254 dev eth0
10.0.0.0/12 dev eth0 scope link src 10.15.130.5
10.15.130.0/24 dev eth0 proto kernel scope link src 10.15.130.5
---
ip xfrm policy
src 10.15.130.0/24 dst 10.0.0.0/12
dir out priority 2356 ptype main
tmpl src 10.15.130.5 dst <remote_public_ip>
proto esp reqid 16385 mode tunnel
src 10.0.0.0/12 dst 10.15.130.0/24
dir fwd priority 2356 ptype main
tmpl src <remote_public_ip> dst 10.15.130.5
proto esp reqid 16385 mode tunnel
src 10.0.0.0/12 dst 10.15.130.0/24
dir in priority 2356 ptype main
tmpl src <remote_public_ip> dst 10.15.130.5
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
---
Vincent Gatignol
IT Infrastructure Manager
+33 (0)6 64 61 86 97
www.braincube.com <http://braincube.com?utm_source=signature&utm_medium=e-mail&utm_campaign=lien_site_braincube>
[https://cdn.mybraincube.com/mail/img.png]<http://braincube.com/magazine/?utm_source=signature&utm_medium=e-mail&utm_campaign=connected_factory_1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170315/013333b3/attachment-0001.html>
More information about the Users
mailing list