[Swan] routed vpn with 2 tunnels cannot ping from one subnet to the other

Thu, 27 Jun 2024 08:05:28 -0700 

Hi,

 
I’ve configured libreswan with 2 tunnels and 3 hosts with XFRM

 
 
192.168.98.50                                             192.168.98.54         
                                    192.168.98.51

 
192.168.98.54 would play the router and is the left side for both tunnels going 
to 192.168.98.50 and 192.168.98.51

 
Tunnel1 (192.168.98.50 and 192.168.98.54) config file:

conn tunnel1

    leftid=@proxy

    left=192.168.98.54

    leftsourceip=192.168.50.1

    leftsubnet=192.168.50.0/24

    leftrsasigkey=<>

    rightid=@master

    right=192.168.98.50

    rightsourceip=192.168.50.3

    rightsubnet=192.168.50.0/24

    rightrsasigkey=<>

    authby=rsasig

    auto=start

    ipsec-interface=1

 
this creates an ipsec1 with ip 192.168.50.3 on the 192.168.98.50 host

and an ipsec1 with ip 192.168.50.1 onf the 192.168.98.54 host

 
 
Tunnel2 (192.168.98.50 and 192.168.98.54) config file:

conn tunnel2

    leftid=@proxy

    left=192.168.98.54

    leftsourceip=192.168.60.1

    leftsubnet=192.168.60.0/24

    leftrsasigkey=<>

    rightid=@worker1

    right=192.168.98.51

    rightsourceip=192.168.60.3

    rightsubnet=192.168.60.0/24

    rightrsasigkey=<>

    authby=rsasig

    auto=start

    ipsec-interface=2

 
this creates an ipsec2 with ip 192.168.60.3 on the 192.168.98.51 host

and an ipsec2 with ip 192.168.60.1 onf the 192.168.98.54 host

 
Now both tunnels are up and running.

 
I can ping 192.168.50.1 from 192.168.50.3 and vice versa

Same for the 192.168.98.60.1 and 192.168.60.3

 
However, now I would like to communicate from 192.168.50.3 to 192.168.60.3

 
So on 192.168.50.3 I add the following ip route:

Ip route add  192.168.60.0/24 via 192.168.50.1

 
And on 192.168.60.3 I add:

Ip route add  192.168.50.0/24 via 192.168.60.1

 
But then when I try to ping from 192.168.50.3 to 192.168.60.3 I get the 
following reply:

 
PING 192.168.60.3 (192.168.60.3) 56(84) bytes of data.

>From 192.168.98.50 icmp_seq=1 Destination Host Unreachable

>From 192.168.98.50 icmp_seq=2 Destination Host Unreachable

>From 192.168.98.50 icmp_seq=3 Destination Host Unreachable

>From 192.168.98.50 icmp_seq=4 Destination Host Unreachable

>From 192.168.98.50 icmp_seq=5 Destination Host Unreachable

 
I don’t get this. The routing table says it’s going out through ipsec1:

 
192.168.50.0/24 dev ipsec1 proto kernel scope link src 192.168.50.3

192.168.60.0/24 via 192.168.50.1 dev ipsec1

192.168.98.0/24 dev ens33 proto kernel scope link src 192.168.98.50

 
But I get a message from the internal nic.

 
If I leave out the “ipsec-interface” option on all tunnel config files then it 
does work without ipsec interfaces, but then I cannot get my firewall on 
192.168.98.54 to do it’s thing.

 
Can anyone please shine a light on this for me?

 
Thanks,

 
Bram

 
 

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to