[strongSwan] remote peer IP falls into crypto domain right subnet

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Sep 28 18:49:55 CEST 2018


Hello,

Just use a passthrough policy, if you use a policy based IPsec tunnel.

Kind regards

Noel

Am 26.09.18 um 22:17 schrieb Phil Frost:
> There are other possible solutions, but my inclination would be to run strongswan and any other VPN related services in a distinct network namespace. This would not only address your issue, but it also prevents accidentally "crossing the streams" between the VPN and other public networks to which the host is attached. A common issue is the IKE daemon fails to start or is misconfigured, and so the policies that normally encrypt traffic on egress don't get installed, and traffic that should have been encrypted is leaked on a public interface.
>
> https://vincent.bernat.ch/en/blog/2017-route-based-vpn is a tutorial I've found helpful in the past. It covers BGP and a lot of other things beyond your particular problem, but maybe ignoring those parts you may still find it useful.
>
> On Wed, Sep 26, 2018 at 3:01 PM Doug Tucker <doug.tucker at newscycle.com <mailto:doug.tucker at newscycle.com>> wrote:
>
>     I've done some searching and am not finding any info on this.  We had a client who wanted to offer a /16 as his right subnet and his outside peer IP of his ASA fell into the /16 they were offering.  With a cisco ASA this is a non issue as in this type of scenario cisco exempts out that single IP from the routing table but with strongswan 5.6.3 it appears to not do so by default and caused some odd routing anomalies to this IP.  Does anyone know of a configuration directive for dealing with this?
>
>
>     *Doug Tucker*
>
>     Sr. Network Administrator
>
>     *o: *817.975.5832 <tel:(817)%20975-5832>*  |  *m: 817.975.5832 <tel:(817)%20975-5832> 
>
>     *e:* doug.tucker at newscycle.com <mailto:doug.tucker at newscycle.com>
>
>     * *
>
>     Newscycle Solutions <http://www.newscycle.com/>
>
>     *Breakthrough technologies for media*
>
>     * *
>
>     *Twitter <http://www.twitter.com/newscycle_news>**  |  Facebook <https://www.facebook.com/NEWSCYCLESolutions>  |  Linkedin <https://www.linkedin.com/company/newscycle-solutions>***
>
>     * *
>
>     CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180928/376c431f/attachment.sig>


More information about the Users mailing list