Re: [strongSwan] trouble with the traffic selector
Hi Martin, Thanks for the quick reply. On Thu, Oct 24, 2013 at 12:45 PM, Martin Willi mar...@strongswan.orgwrote: Hi, I want to route all the traffic originating from android device to be tunneled through the gateway using the tun0 interface. The Android App does no narrowing itself, that happens on the responder only. To tunnel all traffic from the Android device, set leftsubnet=0.0.0.0/0 on the responder. So now my Android device proposes both TSi and TSr as 0.0.0.0/0 and in the gateway I've configured leftsunet as 0.0.0.0/0. Now when I establish the tunnel, typing ip route show in android device shows following: 0.0.0.0/1 dev tun0 scope link default via 10.10.11.1 dev wlan0 10.10.11.0/24 dev wlan0 proto kernel scope link src 10.10.11.5 10.10.11.1 dev wlan0 scope link 128.0.0.0/1 dev tun0 scope link where 10.10.11.15 is the ip address of android device over the wlan0 interface and tun0 also gets same virtual Ip assigned by the gateway. With this when I run tcpdum on both tun0 and wlan0, I see all the ESP packets going through Wlan0 and not tun0. What am I missing here? Why is the route added as 0.0.0.0/1? My intention is to route all the traffic originating from my android device to the gateway using the tun0 interface. Regards Martin Thanks Regards Sam ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trouble with the traffic selector
On Fri, Oct 25, 2013 at 11:27 AM, Ccf Cloud ccfcl...@gmail.com wrote: Hi Martin, Thanks for the quick reply. On Thu, Oct 24, 2013 at 12:45 PM, Martin Willi mar...@strongswan.orgwrote: Hi, I want to route all the traffic originating from android device to be tunneled through the gateway using the tun0 interface. The Android App does no narrowing itself, that happens on the responder only. To tunnel all traffic from the Android device, set leftsubnet=0.0.0.0/0 on the responder. So now my Android device proposes both TSi and TSr as 0.0.0.0/0 and in the gateway I've configured leftsunet as 0.0.0.0/0. Now when I establish the tunnel, typing ip route show in android device shows following: 0.0.0.0/1 dev tun0 scope link default via 10.10.11.1 dev wlan0 10.10.11.0/24 dev wlan0 proto kernel scope link src 10.10.11.5 10.10.11.1 dev wlan0 scope link 128.0.0.0/1 dev tun0 scope link Correction: where 10.10.11.5 is the ip address of android device over the wlan0 interface and tun0 also gets same virtual Ip assigned by the gateway. With this when I run tcpdum on both tun0 and wlan0, I see all the ESP packets going through Wlan0 and not tun0. What am I missing here? Why is the route added as 0.0.0.0/1? My intention is to route all the traffic originating from my android device to the gateway using the tun0 interface. Regards Martin Thanks Regards Sam ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trouble with the traffic selector
Hi, With this when I run tcpdum on both tun0 and wlan0, I see all the ESP packets going through Wlan0 and not tun0. I'd say that's the idea; plain packets go over the virtual adapter, encrypted ones over your physical connection. What am I missing here? Why is the route added as 0.0.0.0/1? 0.0.0.0/1 dev tun0 scope link 128.0.0.0/1 dev tun0 scope link The default route (0.0.0.0/0) gets split up two sub-routes covering the same range. This is done to avoid any conflicts with the default route and to enforce a higher priority for the VPN connection. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trouble with the traffic selector
Hi Martin, Okay so that explains the presence of the routes. But what about all the ESP packets going through wlan0 interface. Shouldn't they go through the tun0? On Fri, Oct 25, 2013 at 1:09 PM, Martin Willi mar...@strongswan.org wrote: Hi, With this when I run tcpdum on both tun0 and wlan0, I see all the ESP packets going through Wlan0 and not tun0. I'd say that's the idea; plain packets go over the virtual adapter, encrypted ones over your physical connection. What am I missing here? Why is the route added as 0.0.0.0/1? 0.0.0.0/1 dev tun0 scope link 128.0.0.0/1 dev tun0 scope link The default route (0.0.0.0/0) gets split up two sub-routes covering the same range. This is done to avoid any conflicts with the default route and to enforce a higher priority for the VPN connection. Regards Martin Thanks Regards Sam ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trouble with the traffic selector
On Fri, Oct 25, 2013 at 8:58 AM, Ccf Cloud ccfcl...@gmail.com wrote: Okay so that explains the presence of the routes. But what about all the ESP packets going through wlan0 interface. Shouldn't they go through the tun0? Martin already mentioned that this is the correct behavior: With this when I run tcpdum on both tun0 and wlan0, I see all the ESP packets going through Wlan0 and not tun0. I'd say that's the idea; plain packets go over the virtual adapter, encrypted ones over your physical connection. ESP packets == encrypted packets, so this is OK. Best regards, Mihai ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trouble with the traffic selector
Hi, Okay that makes sense now. I've another question. Once the tunnel gets established between the Gateway and the Android device, I want to allow the internet access for the android device through the gateway. Currently after the tunnel establishment, my android device is able to reach the gateway but not the next hop (gateway/router through which I get Internet connection on the Gateway). I added the static route in the router to route back packets for the android device to the gateway but my android device is still unable to reach the router and hence the internet. Please suggest some thing in this regards On Fri, Oct 25, 2013 at 1:50 PM, Mihai Maties mi...@xcyb.org wrote: On Fri, Oct 25, 2013 at 8:58 AM, Ccf Cloud ccfcl...@gmail.com wrote: Okay so that explains the presence of the routes. But what about all the ESP packets going through wlan0 interface. Shouldn't they go through the tun0? Martin already mentioned that this is the correct behavior: With this when I run tcpdum on both tun0 and wlan0, I see all the ESP packets going through Wlan0 and not tun0. I'd say that's the idea; plain packets go over the virtual adapter, encrypted ones over your physical connection. ESP packets == encrypted packets, so this is OK. Best regards, Mihai --Thanks Regards Sam ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] trouble with the traffic selector
Hi, I want to route all the traffic originating from android device to be tunneled through the gateway using the tun0 interface. The Android App does no narrowing itself, that happens on the responder only. To tunnel all traffic from the Android device, set leftsubnet=0.0.0.0/0 on the responder. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users