On Tue, 31 Oct 2017, Paul Tran wrote:
VTI interfaces and ST interface on the srx set to IPs on the 192.168.10.0/24
network
I have users sitting on 10.8.0.0/24 that I am trying to have use this tunnel
that are connected off of the CENTOS box.
Ifconfig
vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8981
inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.1
tunnel txqueuelen 1 (IPIP Tunnel)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 colliconn SRX
Can you also show: ip tun
It would need to have a "key" entry matching the mark number in your
config (5)
IPSECON.CONF config
authby=secret
#aggressive=no
#type=tunnel
left=172.31.140.0
leftid=34.204.126.142
right=102.167.4.2
auto=start
mark=5/0xfffffff
keyingtries=%forever
rightsubnet=0.0.0.0/24
leftsubnet=10.8.0.0/24
ike=aes-sha1;modp1536
phase2=esp
phase2alg=aes256-sha1;modp1536
vti-interface=vti201
vti-routing=yes
leftvti=192.168.10.2/24
This looks fine.
ip -s xfrm policy
src 10.8.0.0/24 dst 0.0.0.0/24 uid 0
dir out action allow index 625 priority 2344 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-10-31 12:22:43 use -
mark 5/0xfffffff
Looks okay too.
So I'm not sure what is going on. It might not be mark related? Check
"ipsec verify" for errors, eg rp_filter settings or ip_forwarding
settings?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
