Hello David, the problem is that carol uses a virtual IP belonging to the same subnet as alice. Therefore alice tries to send the ICMP response directly via ARP resolution. You could try to add a route on alice, directing traffic for carol to moon:
ip route add 192.168.253.89/32 via 192.168.253.1 The better solution is to assign virtual IP addresses for roadwarriors from another subnet, e.g. 192.168.252.0/24 and add moon as default gateway on alice: ip route add default via 192.168.253.1 Andreas weiping deng wrote: > Hi Andreas, > Thank you. I enable IP forwarding on gateway moon by using the method you > provided as followed. Now the ICMP request can be forwarded to Alice, but I > can not found the ICMP response in the tcpdump log. It seems that there > still is some work needed to be done :-). Can you give me a further hint? > Thanks. > Best Regards, > David > > -----邮件原件----- > 发件人: Andreas Steffen [mailto:[email protected]] > 发送时间: 2009年9月28日 14:53 > 收件人: weiping deng > 抄送: [email protected]; [email protected] > 主题: [SPAM] Re: issue about the route > > Hi David, > > - have you enabled IP forwarding on gateway moon? > > echo "1" > /proc/sys/net/ipv4/ip_forward > > Regards > > Andreas > > weiping deng wrote: >> Hi Martin and Andreas, Hi all, >> >> >> >> The test scenario is listed as followed: >> >> >> >> Alice (IP: 172.19.2.190 >> >> Secondary IP: 192.168.253.68) <--------------------------->moon > (as >> gateway, IP: 172.19.2.118 >> >> >> Secondary IP: 192.168.253.98) <============> carol (IP: 172.19.2.86 >> >> >> Virtual IP: 192.168.253.89) >> >> >> >> As above, I have established the ipsec tunnel between moon and carol, now > I >> can ping moon from carol with "ping 192.168.253.98" and I also can ping >> Alice from moon with "ping 192.168.253.68". >> >> But I can not ping Alice from carol with "ping 192.168.253.68". Please >> tell me what problem occurred, thanks. >> >> >> >> The following is the configuration of moon and carol: >> >> ++++++++++++++Moon: >> >> config setup >> >> strictcrlpolicy=no >> >> plutostart=no >> >> >> >> conn %default >> >> ikelifetime=60m >> >> keylife=20m >> >> rekeymargin=3m >> >> keyingtries=%forever >> >> keyexchange=ikev2 >> >> >> >> conn rw-eapaka >> >> left=172.19.2.118 >> >> leftsubnet=192.168.253.0/24 >> >> leftid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, >> CN=MOON, E= @moon.strongswan.org" >> >> leftcert=/etc/ipsec.d/certs/moonCert.pem >> >> leftauth=pubkey >> >> leftfirewall=yes >> >> lefthostaccess=yes >> >> right=%any >> >> rightid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, >> CN=CAROL, [email protected]" >> >> rightsendcert=never >> >> rightsourceip=192.168.253.89 >> >> rightauth=eap-aka >> >> auto=start >> >> >> >> ++++++++++carol: >> >> config setup >> >> strictcrlpolicy=no >> >> plutostart=no >> >> keep_alive=20m >> >> conn %default >> >> ike=aes-sha1-modp1024! >> >> esp=aes-sha1! >> >> ikelifetime=60m >> >> keylife=20m >> >> rekeymargin=3m >> >> keyingtries=%forever >> >> keyexchange=ikev2 >> >> dpdaction=clear >> >> dpdtimeout=5m >> >> dpddelay=10 >> >> conn FAP1000 >> >> left=172.19.2.86 >> >> leftsourceip=%config >> >> leftcert=/etc/ipsec.d/certs/carolCert.pem >> >> leftauth=eap >> >> right=172.19.2.118 >> >> rightsubnet=0.0.0.0/0 >> >> rightcert=/etc/ipsec.d/certs/moonCert.pem >> >> rightauth=pubkey >> >> leftid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, >> CN=CAROL, [email protected]" >> >> rightid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, >> CN=MOON, [email protected]" >> >> auto=add >> >> >> >> >> >> Best Regards, >> >> David ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
