[strongSwan] transitive routing through strongSwan

[Florin Andrei]

My end goal is to do full mesh VPN between 4 or 5 sites, with private 
BGP, so routing is possible from any site to any other site, and 
continues to work even when random tunnels (or sites) go down.

But first I need to solve a simpler problem: transitive routing between 
3 VPN nodes. See ASCII art below, which represents 3 sites, each in a 
different geographic location, connected via VPN (but not full mesh, 
only 2 tunnels are up). Each site has two instances: host and vpn. The 
vpn instances all run strongSwan. All instances are Linux. No BGP for 
now, just static routing.


site1       site2       site3

host1       host2       host3
   |           |           |
   |           |           |
vpn1--------vpn2--------vpn3


 From vpn1 I can ping vpn2 just fine. More generally, with sysctl and 
iptables configured correctly, from anywhere within site1 I can ping 
anything within site2. Same between site2 and site3.

This works like magic as long as leftsubnet and rightsubnet are defined 
properly for all tunnels. It looks like magic because those routes are 
not visible at the OS level with the route or ip commands.

My question is: what needs to happen so I can ping host3 from host1? 
Packets need to be routed through vpn2. I assume some routes need to be 
added, possibly even policy routing or something like that.

I've tried adding what I thought were obvious static routes on vpn[1-3] 
but it didn't work. Things are complicated by the "magic routing" done 
by strongSwan (there's always a route to the neighbor VPN site but it's 
not visible to the kernel and I can't rely on it when adding routes to 
more distant hops). Ignoring the "magic" strongSwan routing and 
replicating everything at the kernel level doesn't seem to work.

What am I missing?

-- 
Florin Andrei
http://florin.myip.org/