[strongSwan] strongswan route base VPN to Cisco dynamic VTI: only vips address enters in the tunnel
felipeapolanco at gmail.com
Fri Feb 14 15:14:30 CET 2020
The only allowed source address in your tunnel is your VIP address received
from the Cisco device (172.30.0.16/32)
If you need to allow access from network 10.216.1.0/30 then SNAT it at
POSTROUTING chain to your VIP address.
iptables -t nat -I POSTROUTING -s 10.216.1.0/30 -j SNAT --to-source
On Fri, Feb 14, 2020 at 9:50 AM Philippe JOUNIN <philippe.jounin at orange.fr>
> I am trying to connect a Linux/Strongswan box to a Cisco router using
> - dynamic VTI with IKEv2 on the Cisco (aka flexVPN)
> - routed based VPN on the Linux on a tunnel interface named ipsec0
> which receives a dynamic virtual address
> The ipsec tunnel is correctly established and the vips address is
> correctly assigned by the Cisco, transferred by IKEv2 and assigned to the
> ipsec0 interface.
> However only the traffic sourced by the ipsec0 address is routed through
> the tunnel. All other traffic is filtered out with a "NoRoute" error before
> entering in the tunnel.
> As explained in the wiki page
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i
> have :
> - enabled ip forwarding
> - disabled the policy rules with sysctl -w
> - disabled the charon route processing.
> If i use NAT to translate all outgoing traffic to the VIP address,
> everything is OK, but direct routing does not enter the tunnel.
> I guess the trouble is that the local selector is the /32 vips address
> instead of 0.0.0.0/0.
> I have tried to set local_ts to 0/0, but it is overriden by vips
> Can you help me to understand what i have done wrong ?
> Thanks !
> configurations :
> - Cisco configuration: https://pastebin.com/z8rjJ1hq
> - Strongswan configuration (charon.conf and swanctl.conf):
> - tunnel creation and establishment: https://pastebin.com/GCgzzuXQ
> - logs and debug info : https://pastebin.com/j1nFUDa8
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users