[strongSwan] strongswan route base VPN to Cisco dynamic VTI: only vips address enters in the tunnel

Philippe JOUNIN philippe.jounin at orange.fr
Fri Feb 14 14:50:34 CET 2020


I am trying to connect a Linux/Strongswan box to a Cisco router using 
    - dynamic VTI with IKEv2 on the Cisco (aka flexVPN)
    - routed based VPN on the Linux on a tunnel interface named ipsec0 which receives a dynamic virtual address

The ipsec tunnel is correctly established and the vips address is correctly assigned by the Cisco, transferred by IKEv2 and assigned to the ipsec0 interface.
However only the traffic sourced by the ipsec0 address is routed through the tunnel. All other traffic is filtered out with a "NoRoute" error before entering in the tunnel.

As explained in the wiki page https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i have :
- enabled ip forwarding
- disabled the policy rules with sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
- disabled the charon route processing.

If i use NAT to translate all outgoing traffic to the VIP address, everything is OK, but direct routing does not enter the tunnel.

I guess the trouble is that the local selector is the /32 vips address instead of 
I have tried to set local_ts to 0/0, but it is overriden by vips instruction.

Can you help me to understand what i have done wrong ?
Thanks !

configurations :
- Cisco configuration:             https://pastebin.com/z8rjJ1hq
- Strongswan configuration (charon.conf and swanctl.conf): https://pastebin.com/WwjYb1uP
- tunnel creation and establishment:    https://pastebin.com/GCgzzuXQ

- logs and debug info : https://pastebin.com/j1nFUDa8

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200214/2753680e/attachment.html>

More information about the Users mailing list