[strongSwan] strongswan route base VPN to Cisco dynamic VTI: only vips address enters in the tunnel
Felipe Polanco
felipeapolanco at gmail.com
Fri Feb 14 15:14:30 CET 2020
Hi,
The only allowed source address in your tunnel is your VIP address received
from the Cisco device (172.30.0.16/32)
If you need to allow access from network 10.216.1.0/30 then SNAT it at
POSTROUTING chain to your VIP address.
iptables -t nat -I POSTROUTING -s 10.216.1.0/30 -j SNAT --to-source
172.30.0.16
On Fri, Feb 14, 2020 at 9:50 AM Philippe JOUNIN <philippe.jounin at orange.fr>
wrote:
> Hello,
>
> I am trying to connect a Linux/Strongswan box to a Cisco router using
> - dynamic VTI with IKEv2 on the Cisco (aka flexVPN)
> - routed based VPN on the Linux on a tunnel interface named ipsec0
> which receives a dynamic virtual address
>
> The ipsec tunnel is correctly established and the vips address is
> correctly assigned by the Cisco, transferred by IKEv2 and assigned to the
> ipsec0 interface.
> However only the traffic sourced by the ipsec0 address is routed through
> the tunnel. All other traffic is filtered out with a "NoRoute" error before
> entering in the tunnel.
>
> As explained in the wiki page
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i
> have :
> - enabled ip forwarding
> - disabled the policy rules with sysctl -w
> net.ipv4.conf.ipsec0.disable_policy=1
> - disabled the charon route processing.
>
> If i use NAT to translate all outgoing traffic to the VIP address,
> everything is OK, but direct routing does not enter the tunnel.
>
> I guess the trouble is that the local selector is the /32 vips address
> instead of 0.0.0.0/0.
> I have tried to set local_ts to 0/0, but it is overriden by vips
> instruction.
>
> Can you help me to understand what i have done wrong ?
> Thanks !
>
>
> ----
> configurations :
> - Cisco configuration: https://pastebin.com/z8rjJ1hq
> - Strongswan configuration (charon.conf and swanctl.conf):
> https://pastebin.com/WwjYb1uP
> - tunnel creation and establishment: https://pastebin.com/GCgzzuXQ
>
> troubleshooting:
> - logs and debug info : https://pastebin.com/j1nFUDa8
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200214/55ac1258/attachment.html>
More information about the Users
mailing list