[strongSwan] [EDIT] Traffic selection problems

Felipe Arturo Polanco felipeapolanco at gmail.com
Fri Mar 1 15:04:15 CET 2019


Hi Brian,

Please try this configuration:
=============================
Dynamic:
conn site-2-dynamic-ip
left=%defaultroute
leftsubnet=10.10.0.0/22,10.9.255.252/30
leftfirewall=no
right=dy.na.mi.cip
rightsubnet=10.10.4.0/22,10.9.255.252/30
rightid=%specific.example.com
auto=add

Static:
conn site-1-static-ip
left=st.at.ic.ip
leftsubnet=10.10.4.0/22,10.9.255.252/30
leftid=%specific.example.com
leftfirewall=no
right=%any
rightsubnet=10.10.0.0/22,10.9.255.252/30
auto=add
===============================


Two things to observe:
In Initiator:
ip address add 10.9.255.253/30 dev vti
ip route add 10.10.4.0/22 dev vti src 10.9.255.253 #for locally generated
packets sent to 10.10.4.0/22 to have source as 10.9.255.253
OR
ip route add 10.10.4.0/22 dev vti src 10.10.0.1 #for locally generated
packets sent to 10.10.4.0/22 to have source as 10.10.0.1

Apply the same logic on the responder by replacing the destination network
and the source IP

Also

OSPF uses multicast for default operation in Ethernet, remember to change
this link to Point to Point so it uses unicast.

Let us know how it goes.

Thanks,

On Thu, Feb 28, 2019 at 7:51 PM Brian Topping <brian.topping at gmail.com>
wrote:

> Hi Felipe, thank you for your consideration of this. It took me a bit to
> create a diagram:
>
>
>      10.10.0.0/22                         10.10.4.0/22
>           ^                                     ^
>           v                                     v
>    +---------------+                    +---------------+
>    |  Initiator    |                    |   Responder   |
>    |---------------|                    |---------------|
>    |10.9.255.253/30| <http://10.9.255.253/30%7C><- - - -VTI - - - ->|
> 10.9.255.254/30| <http://10.9.255.254/30%7C>
>    +---------------+                    +---------------+
>          ^                                      ^
>          v                                      v
>     ini.tia.tor.ip  <---- Internet ---->  res.pon.der.ip
>
> From the bottom, the internet connection between the initiator and
> responder, a PtP VTI between the the two nodes and in turn, the two /22
> networks that I want to connect through the VTI as native routing between
> networks (hence the VTI interfaces on each node). The initiator public IP
> is dynamic.
>
> The reason for not doing straight tunneling between the two /22 networks
> is OSPF discovery of interfaces, typical routing daemons can only see
> interfaces to add discovery over (ie “vti*”). As the network grows, the
> routing daemons will self-discover for optimal backbone routing.
>
> Apologies that I didn’t get deeper into that previously! Does it help?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190301/d1c2b25f/attachment.html>


More information about the Users mailing list