[strongSwan] Can't make routing work to pass Internet traffic

Phil Frost phil at postmates.com
Sat May 5 01:56:20 CEST 2018


On Fri, May 4, 2018 at 7:57 AM Arab Abdulla <arab666 at protonmail.com> wrote:

> Dear Admins!
>
> Please help. Can't make work routing. I have net scheme:
> IPSEC Client 1 <--> IPSEC Server <--> IPSEC Client 2
>
> IPSEC IPs of computers:
> Server: 10.1.1.1
> Client 1: 10.1.2.1
> Client 2: 10.1.3.1
>
> I can ping 10.1.3.1 from 10.1.2.1, traffic goes through 10.1.1.1. It works.
>
> I need to make "Client 2" an Internet gateway to pass all Internet traffic
> from Client 1.
>
> But when I try to add route:
> ip route add 8.8.4.4/32 via 10.1.3.1
> it seems route not working, like gateway 10.1.3.1 is just ignored. Traffic
> ends on 10.1.1.1, and do not pass to 10.1.3.1 at all. I check it with
> tcpdump.
>

Client 1 send the packet addressed for 8.8.4.4, and the server receives it.
Now the server doesn't know about the routing tables on client 1: it only
knows it has this packet addressed to 8.8.4.4. How does the server know a
packet for 8.8.4.4 should go through client 2? You can check the server
routing tables with "ip route get 8.8.4.4", or perhaps "ip route get
8.8.4.4 from 10.1.2.1: what's it say? Does it show the server thinks the
next hop should be 10.1.3.1?

Reverse path filtering is another thing that can be a problem in scenarios
like this, especially if client 1 has some IP address other than 10.1.2.1,
and is not using 10.1.2.1 as the source address for the packets it sends
destined for the internet. the log_martians and rp_filter sysctls are
something to check. I've spent more than a few hours racking my brain as to
why packets are "just disappearing" before remembering reverse path
filtering.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180504/eff6c22c/attachment-0001.html>


More information about the Users mailing list