[strongSwan] Mimic inner tunnel traffic

Roee Agami ragami at bluecedar.com
Fri Jul 10 23:23:44 CEST 2020 

Hi,

For reachability testing purposes I would like to mimic inner tunnel traffic toward resources beyond the terminating GW.
I read that I might be able to achieve that by setting some routing rules (table 220?).

When I establish an IPSec tunnel, on the GW I see the following (my VIP pool is 192.168.50.1 to .60 I believe):

192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static 

eth1 is the side toward the initiator, eth0 is where the inner traffic usually flows too (behind the GW).

1. Do you think that I should create a virtual interface on top of eth0, then send the traffic from it? Or is there a way to setup routing rules to allow this? Obviously I would like to be able to get the responses back.
2. How does the GW today knows how to route traffic coming from the tunnel into eth0?

Here is the rest of the table:

ip route show table all
default via 192.168.60.2 dev eth0 table 102 
192.168.60.0/24 dev eth0 table 102 scope link 
default via 192.168.1.1 dev eth1 table 103 
192.168.1.0/24 dev eth1 table 103 scope link 
192.168.50.9 via 192.168.1.164 dev eth1 table 220 proto static 
default via 192.168.60.2 dev eth0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.1.0/24 dev eth1 scope link metric 6 
192.168.60.0/24 dev eth0 scope link metric 3 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.0.0 dev docker0 table local proto kernel scope link src 172.17.0.1 
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 
broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.237 
local 192.168.1.237 dev eth1 table local proto kernel scope host src 192.168.1.237 
broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.237 
broadcast 192.168.60.0 dev eth0 table local proto kernel scope link src 192.168.60.201 
local 192.168.60.201 dev eth0 table local proto kernel scope host src 192.168.60.201 
broadcast 192.168.60.255 dev eth0 table local proto kernel scope link src 192.168.60.201 
broadcast 192.168.122.0 dev virbr0 table local proto kernel scope link src 192.168.122.1 
local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1 
broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 


Thanks!

More information about the Users mailing list