[strongSwan] Routing between two remote sites

VTwin Farriers vtwin at cox.net
Thu Jan 27 22:10:54 CET 2022 

> I'm sorry to say this but that was unnecessary because you can disable the plugins in the configuration. You do not need to recompile anything.
> 

Well it was a learning experience for me :)

I looked in the stock EPEL configuration directories created for strongswan. /etc/strongswan/strongswan.d/charon/kernel-libipsec.conf had "load=yes".

I changed this to "load=no" on both systems and restarted strongswan

Now I get:

[root at CentralRouter]# strongswan up CentralEast
establishing CHILD_SA CentralEast{8}
generating CREATE_CHILD_SA request 0 [ SA No TSi TSr ]
sending packet: from WW.XX.YY.ZZ[4500] to AA.BB.CC.DD[4500] (620 bytes)
received packet: from AA.BB.CC.DD[4500] to WW.XX.YY.ZZ[4500] (476 bytes)
parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA CentralEast{8} established with SPIs cd247e35_i fef555a5_o and TS 10.64.0.0/16,10.128.0.0 === 10.0.0.0/16
connection 'CentralEast' established successfully


Yeaaaaaaaaa!

Uh... not so fast :(


[root at CentralRouter]# ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
^C
--- 10.0.0.1 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 3052ms


[root at CentralRouter]# strongswan status
Security Associations (4 up, 0 connecting):
CentralEast[9]: ESTABLISHED 7 minutes ago, WW.XX.YY.ZZ[WW.XX.YY.ZZ]...AA.BB.CC.DD[AA.BB.CC.DD]
CentralEast{7}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: cdc46ed8_i fd5e2ca8_o
CentralEast{7}: 10.64.0.0/16,10.128.0.0/24 === 10.0.0.0/16

however,

[root at CentralRouter]# ip route show match 10.0.0.1
default via WW.XX.YY.ZZ dev Internet proto static metric 351

[root at CentralRouter]# ip route show table 220
10.0.0.0/16 via WW.XX.YY.ZZ dev Internet proto static src 10.64.0.1


so it appears the traffic is attempting to route over my regular internet ip link rather than the ipsec tunnel?

Not sure where to go from this point, but thanks for the help so far. Overcame one hurdle but looks like I have another.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220127/8ea87711/attachment.html>

More information about the Users mailing list