[strongSwan] traffic beyond initiator yes, but no between initiator & server
lejeczek
peljasz at yahoo.co.uk
Thu Nov 5 17:45:47 CET 2020
Hi guys
To start I should say I'm trying this with libipsec.
I have an initiator with local 10.3.1.0/24 and a following
config:
connections {
to-tinyionos {
version = 2
remote_addrs = "A.B.C.D"
vips = "0.0.0.0"
local {
auth = pubkey
certs = "my.cert.der"
}
remote {
certs = "server.cert.der"
}
children {
to-tinyionos {
mark_in = %unique
mark_out = %unique
remote_ts = "10.3.9.0/24"
local_ts = "10.3.1.0/24"
#mode = "tunnel"
mode = pass
}
}
}
}
and there I have a server with a tun iface:
17: forswan: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu
1500 qdisc fq_codel state DOWN group default qlen 500
link/none
inet 10.3.9.1/24 brd 10.3.9.255 scope global
noprefixroute forswan
valid_lft forever preferred_lft forever
and server config, connection part:
fenbox {
version = 2
pools = "myclient"
vips = "0.0.0.0"
remote {
auth = "pubkey"
id = "O=client, CN=tiny.client"
}
children {
fenbox {
mark_in = %unique
mark_out = %unique
local_ts = "10.3.9.0/24"
remote_ts = "10.3.1.0/24"
#mode = transport
#mode = "tunnel"
mode = pass
}
}
}
What I'd like to get, which I'm not for some reason, is:
- to access IP of 10.3.9.0/24 subnet.
>From the server I can get to initiator's 10.3.1.0/24, but
the server with 10.3.9.1 on tun iface cannot get to
initiator's assigned 10.3.9.254.
I have two questions:
1) Obvious - how to make it work?
2) I notice that initiators gets an IP: 10.3.9.254/32 - is
this that subnet because how libipsec works and if yes then
can it be controlled and changed?
many thanks, L.
More information about the Users
mailing list