On Thu, 27 Jun 2024, Bram via Swan wrote: You cannot "add routes into the ipsecX device" that are not part of the original policies. If you want to "throw" more traffic through the tunnel with different src/dst, you need to add a conn covering the src/dst.
Alternatively, you can add a single tunnel 0.0.0.0/0 <-> 0.0.0.0/0 and then you can "throw" more traffic by just routing, but obviously such a setup is more errorprone and less secure and easier to leak packets to the other side by accident. Paul
Date: Thu, 27 Jun 2024 11:04:56 From: Bram via Swan <[email protected]> To: "[email protected]" <[email protected]> Subject: [Swan] routed vpn with 2 tunnels cannot ping from one subnet to the other Hi, I’ve configured libreswan with 2 tunnels and 3 hosts with XFRM 192.168.98.50 192.168.98.54 192.168.98.51 192.168.98.54 would play the router and is the left side for both tunnels going to 192.168.98.50 and 192.168.98.51 Tunnel1 (192.168.98.50 and 192.168.98.54) config file: conn tunnel1 leftid=@proxy left=192.168.98.54 leftsourceip=192.168.50.1 leftsubnet=192.168.50.0/24 leftrsasigkey=<> rightid=@master right=192.168.98.50 rightsourceip=192.168.50.3 rightsubnet=192.168.50.0/24 rightrsasigkey=<> authby=rsasig auto=start ipsec-interface=1 this creates an ipsec1 with ip 192.168.50.3 on the 192.168.98.50 host and an ipsec1 with ip 192.168.50.1 onf the 192.168.98.54 host Tunnel2 (192.168.98.50 and 192.168.98.54) config file: conn tunnel2 leftid=@proxy left=192.168.98.54 leftsourceip=192.168.60.1 leftsubnet=192.168.60.0/24 leftrsasigkey=<> rightid=@worker1 right=192.168.98.51 rightsourceip=192.168.60.3 rightsubnet=192.168.60.0/24 rightrsasigkey=<> authby=rsasig auto=start ipsec-interface=2 this creates an ipsec2 with ip 192.168.60.3 on the 192.168.98.51 host and an ipsec2 with ip 192.168.60.1 onf the 192.168.98.54 host Now both tunnels are up and running. I can ping 192.168.50.1 from 192.168.50.3 and vice versa Same for the 192.168.98.60.1 and 192.168.60.3 However, now I would like to communicate from 192.168.50.3 to 192.168.60.3 So on 192.168.50.3 I add the following ip route: Ip route add 192.168.60.0/24 via 192.168.50.1 And on 192.168.60.3 I add: Ip route add 192.168.50.0/24 via 192.168.60.1 But then when I try to ping from 192.168.50.3 to 192.168.60.3 I get the following reply: PING 192.168.60.3 (192.168.60.3) 56(84) bytes of data. From 192.168.98.50 icmp_seq=1 Destination Host Unreachable From 192.168.98.50 icmp_seq=2 Destination Host Unreachable From 192.168.98.50 icmp_seq=3 Destination Host Unreachable From 192.168.98.50 icmp_seq=4 Destination Host Unreachable From 192.168.98.50 icmp_seq=5 Destination Host Unreachable I don’t get this. The routing table says it’s going out through ipsec1: 192.168.50.0/24 dev ipsec1 proto kernel scope link src 192.168.50.3 192.168.60.0/24 via 192.168.50.1 dev ipsec1 192.168.98.0/24 dev ens33 proto kernel scope link src 192.168.98.50 But I get a message from the internal nic. If I leave out the “ipsec-interface” option on all tunnel config files then it does work without ipsec interfaces, but then I cannot get my firewall on 192.168.98.54 to do it’s thing. Can anyone please shine a light on this for me? Thanks, Bram
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
