[strongSwan] Can't make routing work to pass Internet traffic
phil at postmates.com
Sat May 5 01:56:20 CEST 2018
On Fri, May 4, 2018 at 7:57 AM Arab Abdulla <arab666 at protonmail.com> wrote:
> Dear Admins!
> Please help. Can't make work routing. I have net scheme:
> IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2
> IPSEC IPs of computers:
> Server: 10.1.1.1
> Client 1: 10.1.2.1
> Client 2: 10.1.3.1
> I can ping 10.1.3.1 from 10.1.2.1, traffic goes through 10.1.1.1. It works.
> I need to make "Client 2" an Internet gateway to pass all Internet traffic
> from Client 1.
> But when I try to add route:
> ip route add 220.127.116.11/32 via 10.1.3.1
> it seems route not working, like gateway 10.1.3.1 is just ignored. Traffic
> ends on 10.1.1.1, and do not pass to 10.1.3.1 at all. I check it with
Client 1 send the packet addressed for 18.104.22.168, and the server receives it.
Now the server doesn't know about the routing tables on client 1: it only
knows it has this packet addressed to 22.214.171.124. How does the server know a
packet for 126.96.36.199 should go through client 2? You can check the server
routing tables with "ip route get 188.8.131.52", or perhaps "ip route get
184.108.40.206 from 10.1.2.1: what's it say? Does it show the server thinks the
next hop should be 10.1.3.1?
Reverse path filtering is another thing that can be a problem in scenarios
like this, especially if client 1 has some IP address other than 10.1.2.1,
and is not using 10.1.2.1 as the source address for the packets it sends
destined for the internet. the log_martians and rp_filter sysctls are
something to check. I've spent more than a few hours racking my brain as to
why packets are "just disappearing" before remembering reverse path
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users