Hi Noel/Tobias/Everyone, First of all, Thanks for your help !!!
Unfortunately, after more than a month submerged into my lab and countless forums and google articles researching about iptables, linux routing tables, strongswan ... I will give up and I decided to build a pfSense box and use the OpenWRT routers as layer2 switches. I have analyzed the iptables captures and they do not reveal much. The capture on the VTI interface shows the PING packet request and reply. And on the iptables chains the PING reply is seen on raw OUTPUT mangle OUTPUT filter OUTPUT mangle POSTROUTING and the PING reply with no response is seen on raw PREROUTING mangle PREROUTING mangle INPUT filter INPUT The image below has a diagram flow for the iptables chains. https://blog.infoitech.co.uk/content/images/2021/08/image-25.png I am starting to believe that my problem could be a bug in the ipsec/strongswan implementation. If someone else reading this thread find a solution, please update this thread cause it would be helpful to more people out there. Best Regards, Tiago Stoco. ________________________________ From: Users <users-boun...@lists.strongswan.org> on behalf of Tiago Stoco <tmsbl...@msn.com> Sent: Saturday, September 11, 2021 10:13 AM To: Noel Kuntze <noel.kuntze@thermi.consulting>; Tobias Brunner <tob...@strongswan.org>; users@lists.strongswan.org <users@lists.strongswan.org> Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute Hi Noel, Quick update to the thread. I know that pfSense is not related with this mailing list, but as a proof of concept for the issues described here the pfSense LAB site-to-site was set up and it worked flawlessly 👉 https://blog.infoitech.co.uk/pfsense-ipsec-vpn-routed-vti-site-to-site/ I have switched one of the pfSense boxes used in the example above to stablish the tunnel with my Linux box and still the same issues as before. I am writing a script to capture packets throughout all my iptables chains and I will then analyze the captures to see if I can spot something. Best Regards, Tiago. ________________________________ From: Users <users-boun...@lists.strongswan.org> on behalf of Tiago Stoco <tmsbl...@msn.com> Sent: Friday, September 10, 2021 7:31 AM To: Noel Kuntze <noel.kuntze@thermi.consulting>; Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting>; Tobias Brunner <tob...@strongswan.org>; users@lists.strongswan.org <users@lists.strongswan.org> Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute Hi Noel, I did not give up on this yet. The last couple of days were quite busy at work and home. However, I have managed to draw a diagram on how I believe the site-to-site VPN would work 👇 https://blog.infoitech.co.uk/content/images/2021/09/ipsec_diagram2.png It is quite obvious how the traffic should flow through the VPN tunnel to allow the subnets to talk to each other. I have managed to spin up a new VM running pfSence to test a pfSense to Pfsense setup and then I will spin another VM to replicate the example you have shared. Finally, I will be able to verify if my idea will work and be able to identify where is the anomaly in my current setup. Wish me luck, Best Regards. Tiago ________________________________ From: Noel Kuntze Sent: Friday, September 3, 2021 6:22 PM To: Tiago Stoco; Noel Kuntze; Tobias Brunner; users@lists.strongswan.org Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute Hello Tiago, It's more meant as a practical example on how to configure this and to look for anomalies in your setup. Kind regards Noel Am 03.09.21 um 22:54 schrieb Tiago Stoco: > Hi Noel, > > I will replicate the example below in my lab in the hopes to better > understand the concepts behind an IPSec VPN tunnel. > > Tiago Stoco. > >
