[strongSwan] [EDIT] Traffic selection problems
Felipe Arturo Polanco
felipeapolanco at gmail.com
Thu Feb 28 22:05:43 CET 2019
Hi Brian,
Your traffic selectors look strange, left implies the source IP XFRM will
see and right implies the destination IP XFRM will see in order to know if
it has to transform and encrypt that IP packet.
Can you tell us the existing subnets in both sites?
Site 1 with static IP has x.x.x.x subnet
Site 2 with dynamic IP has x.x.x.x subnet
Also, what are those two /30 networks for? is that needed to go inside the
tunnel as well?
On Thu, Feb 28, 2019 at 5:10 AM Brian Topping <brian.topping at gmail.com>
wrote:
> > VTI devices won't change anything. You can't use transport mode with
> > any IPs other than those of the endpoints (i.e. it doesn't work with
> > virtual IPs or arbitrary subnets - you have to use tunnel mode for that).
>
> Got it, thanks Tobias. But the logs say `06[IKE] not using transport mode,
> not host-to-host` and the SADB modes are all `tunnel`, so the stack appears
> to have made up for my error.
>
> Or has it?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190228/a265e5b0/attachment.html>
More information about the Users
mailing list