On Tue, 22 Sep 2020 23:47:56 +0000 "Scott A. Wozny" <[email protected]> wrote:
> In my testing setup I have a pair of VPN systems, each with an > VPNExternal interface (ens8), a VPNInternal (ens9) interface and a > management interface (eth0) which is the default gateway for each > machine. Each machine is connected to a test firewall and those > firewalls are connected together with a pretend “Internet” segment. That is not Internet segment if default route doesn't go there. > I would like to have the isakmp and ipsec-nat-t traffic bound for the > peer gateway travel out the interface identified as left on each > machine, rather than out the default gateway as directed by the > routing table. I thought this was the purpose of leftnexthop, but > when I set it to the IP of the firewall’s address on the VPNExternal > interface, traffic still goes to the default gateway whose interface > on the firewall is NOT configured to pass this traffic and the tunnel > does not come up. Your IPsec peers must be able to communicate without IPsec for everything to work. If I read your routing tables correctly you are missing route to remote via correct interface at the beginning. Usually that is default route but it can be just route to remote endpoint via correct gateway. Nexthop doesn't help if you don't have basic routing working so that you can make peers communicate without IPsec. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
