[strongSwan] Can't make routing work to pass Internet traffic

Phil Frost phil at postmates.com
Sun May 6 19:52:59 CEST 2018


On Sat, May 5, 2018 at 2:58 AM Arab Abdulla <arab666 at protonmail.com> wrote:

> Client 1 send the packet addressed for 8.8.4.4, and the server receives
> it. Now the server doesn't know about the routing tables on client 1: it
> only knows it has this packet addressed to 8.8.4.4. How does the server
> know a packet for 8.8.4.4 should go through client 2?
>
>
> It seems it's the root of the problem. Why the server does not know? Why
> gateway is not used? My routing on client 1 is:
> root at ubuntu1604:~# ip r g 8.8.4.4
> 8.8.4.4 via 10.10.3.1 dev ipsec2  src 10.10.2.1
>     cache
>
> So, IPSEC should incapsulate its destination and sends traffic to
> 10.10.3.1, is not it? But, instead, on server I see (49 is client 1 and 47
> is server):
>
> 19:38:57.180893 IP 10.2.0.49.4500 > 10.2.0.47.4500: UDP-encap:
> ESP(spi=0xc3d23f24,seq=0xc), length 120
> 19:38:57.180981 IP 10.10.2.1 > 8.8.4.4: ICMP echo request, id 13060, seq
> 12, length 64
>

That's simply not how IP works. Without any special options, the IP header
doesn't contain the path, but only the final destination. Nominally, the
path is determined independently by each router deciding what the next hop
is, and adjacent routers are on the same L2 network (which may be a
point-to-point ethernet link of only two hosts, or in your case, a virtual
one implemented as an IPsec tunnel.)

The canonical solution would be to have a route on the server (10.10.1.1, I
think it was?). Other ideas involve an ipip tunnel between the clients
(10.10.3.1 and 10.10.2.1), or possibly you can do something with IP source
routing options.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180506/322d8d8d/attachment.html>


More information about the Users mailing list