[strongSwan] traffic beyond initiator yes, but no between initiator & server

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Nov 5 18:19:21 CET 2020


Hello Lejeczek,

kernel-libipsec (which is required to be loaded for libipsec to be usable) creates a tun interface itself. You can not prescribe it to use one.

>         mode = pass

That disables all IPsec processing for traffic that matches the policies. You probably don't want to do that.

> 1) Obvious - how to make it work?

Completely different from what you configured. Just use a normal roadwarrior config.

Kind regards

Noel

Am 05.11.20 um 17:45 schrieb lejeczek:
> Hi guys
> 
> To start I should say I'm trying this with libipsec.
> 
> I have an initiator with local 10.3.1.0/24 and a following
> config:
> 
> 
> connections {
>   to-tinyionos {
>     version = 2
>     remote_addrs = "A.B.C.D"
>     vips = "0.0.0.0"
>     local {
>       auth = pubkey
>       certs = "my.cert.der"
>     }
>     remote {
>       certs = "server.cert.der"
>     }
>     children {
>       to-tinyionos {
>         mark_in = %unique
>         mark_out = %unique
>         remote_ts = "10.3.9.0/24"
>         local_ts = "10.3.1.0/24"
>         #mode = "tunnel"
>         mode = pass
>       }
>     }
>   }
> }
> 
> and there I have a server with a tun iface:
> 
> 17: forswan: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu
> 1500 qdisc fq_codel state DOWN group default qlen 500
>     link/none
>     inet 10.3.9.1/24 brd 10.3.9.255 scope global
> noprefixroute forswan
>        valid_lft forever preferred_lft forever
> 
> and server config, connection part:
> 
> 
>   fenbox {
>     version = 2
>     pools = "myclient"
>     vips = "0.0.0.0"
>     remote {
>       auth = "pubkey"
>       id = "O=client, CN=tiny.client"
>     }
>     children {
>       fenbox {
>         mark_in = %unique
>         mark_out = %unique
>         local_ts = "10.3.9.0/24"
>         remote_ts = "10.3.1.0/24"
>         #mode = transport
>         #mode = "tunnel"
>         mode = pass
>       }
>     }
>   }
> 
> 
> What I'd like to get, which I'm not for some reason, is:
> - to access IP of 10.3.9.0/24 subnet.
> From the server I can get to initiator's 10.3.1.0/24, but
> the server with 10.3.9.1 on tun iface cannot get to
> initiator's assigned 10.3.9.254.
> I have two questions:
> 1) Obvious - how to make it work?
> 2) I notice that initiators gets an IP: 10.3.9.254/32 - is
> this that subnet because how libipsec works and if yes then
> can it be controlled and changed?
> 
> many thanks, L.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201105/cb36ae01/attachment.sig>


More information about the Users mailing list