Hi Tobias, Thanks for your nice reply. I get back on you for further doubts on this.
Regards, Saravanan N On Mon, Apr 16, 2012 at 2:50 PM, Tobias Brunner <[email protected]>wrote: > Hi Saravanan, > > > I have established a VPN tunnel between GW and VPN server using > > Strongswan. > > Is the tunnel between those two hosts intended as host-host tunnel or as > host-net tunnel? What did you configure for left|rightsubnet? > > If your SPD entries are any indication it seems you configured > rightsubnet=0.0.0.0/0 on GW. That is, you end up with this outbound > IPsec policy: > > > 50.1.1.239[any] 0.0.0.0/0[any] any > > out prio high + 1073739901 ipsec > > ... > > Which means that any packet leaving the host with a source address of > 50.1.1.239 will be sent into this tunnel. > Now you'd assume that this won't apply for a ping sent from > 172.31.114.230 to 172.31.114.231, but if you are using IKEv2 a source > route is installed which will force 50.1.1.239 as source for any packets > sent from GW (i.e. also for the ICMP replies). This route is installed > in routing table 220 by default (which is created with a priority of > 220). The table and/or priority can be changed with the > charon.routing_table and charon.routing_table_prio strongswan.conf > options, respectively (or with the respective ./configure arguments). > To prevent the daemon from installing these routes altogether you can > set charon.install_routes=no in strongswan.conf. > > Regards, > Tobias >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
