[strongSwan] strange behavior with non local network traffic

Fri, 15 Mar 2013 03:33:06 -0700

Hi,

I´m using a strongswan-4.6.4-1.el6.i686 with a CentOS 6.3. The system is working as a dedicated vpn-gateway for ikev1 and ikev2. Everything is working just fine as long as the vpn-client is coming from the internal network. But when the VPN-Client is not from the local network, the traffic is not forwarded. The VPN-Gateway has a internal IP 192.168.16.45 and an external IP like XXX.XXX.94.199. So when the client comes from the network 192.168.170.x, and not from 192.168.16.x nothing happends. And yes, IP-Forwarding is activated in the kernel. And yes, the 170.x packages arrive on the internal interface of the vpn-gateway. And no ESP packages leaving the external interface when they arrive, so I´m sure the problem is on our site.

here some configs and strongswan whack messages:

conn system_bb_test
                left=XXX.XXX.94.199
                leftsubnet=192.168.170.0/24
                #leftsubnet=192.168.16.0/24 it works with this
                leftnexthop=XXX.XXX.94.193
                leftid=XXX.XXX.94.199
                #leftauth=psk
                right=XXX.XXX.151.196
                rightsubnet=XXX.XXX.20.0/24
                #rightnexthop=XXX.XXX.151.193
                rightid=XXX.XXX.151.196
                #rightauth=psk
                authby=psk
                auto=start
                keyexchange=ikev1
                ikelifetime=28800s
                keylife=3600s
                ike=3des-sha1-modp1024
                esp=3des-sha1
                pfs=no


strongswan whack --statusall

000 Status of IKEv1 pluto daemon (strongSwan 4.6.4):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth1/eth1 XXX.XXX.94.199:500
000 interface eth0/eth0 192.168.16.45:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore
000
000 "system_bb_test": 192.168.170.0/24===XXX.XXX.94.199[XXX.XXX.94.199]---XXX.XXX.94.193...XXX.XXX.151.196[XXX.XXX.151.196]===XXX.XXX.20.0/24; erouted; eroute owner: #10
000 "system_bb_test":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "system_bb_test":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth1;
000 "system_bb_test":   newest ISAKMP SA: #9; newest IPsec SA: #10;
000 "system_bb_test":   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000 "system_bb_test":   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>

000 #10: "system_bb_test" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2716s; newest IPSEC; eroute owner
000 #10: "system_bb_test" [email protected] (0 bytes) [email protected] (0 bytes); tunnel
000 #9: "system_bb_test" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27841s; newest ISAKMP





It looks to me as if the tunnel is up and everyting is fine.

Any suggestions or hints to test are welcome


kind regards

fatcharly


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to