[strongSwan] [strongSwan-dev] route a packet to a VTI device, it gets NoRoute error

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri May 19 16:27:18 CEST 2017 

Hi,

I removed the garbage from your configurations and fixed them for you.
You have to disable the installation of routes into table 220 by disabling that in strongswan.conf.
Your routing rule gets all the traffic and puts it all into the vti,
the ESP packets, too. The kernel recognized the routing loop, drops the
packet and increases the tx error count for the noroute field.

You need at least a unicast route to the other peer's IP address to prevent the routing loop
And elegant solution to this is to insert a throw route into that table that the vti is in.

> pc2 configuration:
> 
> connections {
>     gw-gw {
>         version = 2
>         local_addrs = 192.168.2.11
>         remote_addrs = 192.168.2.22
>         local {
>             auth = psk
>             id = 192.168.2.11
>         }
>         remote {
>             id = %any
>             auth = psk
>         }
>         children {
>             net-net {
>                 local_ts = 0.0.0.0/0
>                 remote_ts = 0.0.0.0/0
>                 mode = tunnel
>		  start_action = route
>                 mark_in = 0x1
>                 mark_out = 0x1
>             }
>         }
>     }
> }
> 
> secrets {
>     ike-192.168.2.22 {
>         id = 192.168.2.22
>         secret = niceday
>     }
> }
> 
> ============================================
> 
> pc1 configuration:
> 
> connections {
>     gw-gw {
>         version = 2
>         local_addrs = 192.168.2.22
>         remote_addrs = 192.168.2.11
>         local {
>             auth = psk
>             id = 192.168.2.22
>         }
>         remote {
>             id = %any
>             auth = psk
>         }
>         children {
>             net-net {
>                 local_ts = 10.10.10.10/24
>                 remote_ts = 0.0.0.0/0
>                 policies = yes
>                 dpd_action = clear
>             }
>         }
>     }
> }
> 
> secrets {
>     ike-192.168.2.11 {
>         id = 192.168.2.11
>         secret = niceday
>     }
> }



On 19.05.2017 16:17, tszephay Field wrote:
> 
> Hi Noel, thanks for your reply. I do not know why it needs route here even though the flow has arrived at vti.
> 
> And how can I ping eth3 from eth0?
> 
> ps: I have realized my fault that this is dev mailing list =。= very sorry!
> 
> ======================================================> <SNIP>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170519/df6c0db8/attachment.sig>

More information about the Users mailing list