[strongSwan] strongswan route base VPN to Cisco dynamic VTI: only vips address enters in the tunnel

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Feb 14 16:06:41 CET 2020 

Hello Philippe,

I'm not using any Cisco gear or FlexVPN, but is it supposed to use bare IPsec or not a GRE tunnel wrapped in an IPsec tunnel?
If the latter is the case, just build a gre tunnel with the local endpoint being the VIP, that should then work.
Otherwise (if it's supposed to be a bare IPsec tunnel) I propose asking the remote peer for logs and instructions on how exactly it is supposed to work.

Kind regards

Noel

Am 14.02.20 um 14:50 schrieb Philippe JOUNIN:
> Hello,
> 
> I am trying to connect a Linux/Strongswan box to a Cisco router using
>     - dynamic VTI with IKEv2 on the Cisco (aka flexVPN)
>     - routed based VPN on the Linux on a tunnel interface named ipsec0 which receives a dynamic virtual address
> 
> The ipsec tunnel is correctly established and the vips address is correctly assigned by the Cisco, transferred by IKEv2 and assigned to the ipsec0 interface.
> However only the traffic sourced by the ipsec0 address is routed through the tunnel. All other traffic is filtered out with a "NoRoute" error before entering in the tunnel.
> 
> As explained in the wiki page https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i have :
> - enabled ip forwarding
> - disabled the policy rules with sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
> - disabled the charon route processing.
> 
> If i use NAT to translate all outgoing traffic to the VIP address, everything is OK, but direct routing does not enter the tunnel.
> 
> I guess the trouble is that the local selector is the /32 vips address instead of 0.0.0.0/0.
> I have tried to set local_ts to 0/0, but it is overriden by vips instruction.
> 
> Can you help me to understand what i have done wrong ?
> Thanks !
> 
> 
> ----
> configurations :
> - Cisco configuration:             https://pastebin.com/z8rjJ1hq
> - Strongswan configuration (charon.conf and swanctl.conf): https://pastebin.com/WwjYb1uP
> - tunnel creation and establishment:    https://pastebin.com/GCgzzuXQ
> 
> troubleshooting:
> - logs and debug info : https://pastebin.com/j1nFUDa8
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200214/8d2071b7/attachment.sig>

More information about the Users mailing list