[strongSwan] remote peer IP falls into crypto domain right subnet

Phil Frost phil at postmates.com
Wed Sep 26 22:17:46 CEST 2018


There are other possible solutions, but my inclination would be to run
strongswan and any other VPN related services in a distinct network
namespace. This would not only address your issue, but it also prevents
accidentally "crossing the streams" between the VPN and other public
networks to which the host is attached. A common issue is the IKE daemon
fails to start or is misconfigured, and so the policies that normally
encrypt traffic on egress don't get installed, and traffic that should have
been encrypted is leaked on a public interface.

https://vincent.bernat.ch/en/blog/2017-route-based-vpn is a tutorial I've
found helpful in the past. It covers BGP and a lot of other things beyond
your particular problem, but maybe ignoring those parts you may still find
it useful.

On Wed, Sep 26, 2018 at 3:01 PM Doug Tucker <doug.tucker at newscycle.com>
wrote:

> I've done some searching and am not finding any info on this.  We had a
> client who wanted to offer a /16 as his right subnet and his outside peer
> IP of his ASA fell into the /16 they were offering.  With a cisco ASA this
> is a non issue as in this type of scenario cisco exempts out that single IP
> from the routing table but with strongswan 5.6.3 it appears to not do so by
> default and caused some odd routing anomalies to this IP.  Does anyone know
> of a configuration directive for dealing with this?
>
>
> *Doug Tucker*
>
> Sr. Network Administrator
>
> *o: *817.975.5832 <(817)%20975-5832>*  |  *m: 817.975.5832
> <(817)%20975-5832>
>
> *e:* doug.tucker at newscycle.com
>
>
>
> [image: Newscycle Solutions] <http://www.newscycle.com/>
>
> *Breakthrough technologies for media*
>
>
>
> *Twitter <http://www.twitter.com/newscycle_news>**  |  Facebook
> <https://www.facebook.com/NEWSCYCLESolutions>  |  Linkedin
> <https://www.linkedin.com/company/newscycle-solutions>*
>
>
>
> CONFIDENTIALITY NOTICE: The contents of this email message and any
> attachments are intended solely for the addressee(s) and may contain
> confidential and/or privileged information and may be legally protected
> from disclosure. If you are not the intended recipient of this message or
> their agent, or if this message has been addressed to you in error, please
> immediately alert the sender by reply email and then delete this message
> and any attachments. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, copying, or storage of this message
> or its attachments is strictly prohibited.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180926/01caea65/attachment.html>


More information about the Users mailing list