We have an issue configuring Strongswan to a Cisco router. The connection is made, but I'm not getting the routing correct. There are multiple networks behind the router on the remote side (operated by a vendor) and we need to snat the IP's we come from to match their assigned range (so it routes back to us).
ipsec status shows the connection: 000 "vpn": 10.10.0.42/32===12.34.56.78[12.34.56.78]:47/0---12.34.56.80...78.56.34.12[78.56.34.12]:47/0===10.10.254.1/32; erouted; eroute owner: #31 000 "vpn": newest ISAKMP SA: #29; newest IPsec SA: #31; 000 000 #31: "vpn" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2886s; newest IPSEC; eroute owner 000 #31: "vpn" esp.b3a4e070@78.56.34.12 (0 bytes) esp.6405defd@12.34.56.78 (1872 bytes, 1s ago); tunnel 000 #29: "vpn" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 81890s; newest ISAKMP 000 ip route show table 220 10.10.254.1 via 12.34.56.80 dev eth1 src 10.10.0.42 We need to get to segments 10.20.1.0, 10.20.5.0 and 10.20.6.0 and appear to come from 10.10.2.2-254 The internal range we have is 10.1.0.0/32 (iptables snat?) Here's the ipsec.conf, I did try multiple segments on the rightsubnet- line, but they never ended up in table 220. I'm not sure I understand how that route interacts with the normal routes. config setup plutodebug=control # plutodebug=all plutostart=yes charondebug=none charonstart=no conn vpn ikelifetime=86400s keylife=3600s rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret ike=3des-md5-modp1024 esp=3des-md5 right=78.56.34.12 rightsubnet=10.10.254.1/32 rightprotoport=47/0 left=%defaultroute leftsourceip=10.10.0.42 leftprotoport=47/0 leftfirewall=yes auto=add pfs=no _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users