Hi all :)
I'm having trouble to set up a simple ipsec connection with overlapping
networks and a passthrough connection. Therefore my question is, if there is
some open bug at the moment so that it cannot work.
My configuration:
ipsec.conf (Client):
config setup
charonstart=yes
conn Router3
keyexchange=ikev2
right=185.48.118.115
rightid=@serverside
rightsubnet=10.1.0.0/16
left=%any
leftsubnet=10.1.13.0/24
leftid=@router
auto=start
authby=secret
ikelifetime=323s
keylife=771s
rekeymargin=151s
keyingtries= 1
leftfirewall=yes
mobike=no
conn passthrough
rightsubnet=10.1.13.0/24
leftsubnet=10.1.13.0/24
type=pass
auto=route
authby=never (There is no different if I write this line or not)
ipsec.conf (Server side)
config setup
# strictcrlpolicy=yes
# uniqueids = no
charonstart=yes
plutostart=no
conn %default
keyexchange=ikev2
left=185.48.118.115
leftid=@serverside
leftsubnet=10.1.0.0/16
right=%any
auto=add
authby=secret
ikelifetime=41s
keylife=89s
rekeymargin=21s
mobike=no
esp=aes128-sha1-modp2048
conn Router3
rightsubnet=10.1.13.0/24
rightid=@router
ikelifetime=323s
keylife=771s
rekeymargin=151s
leftfirewall=yes
The connection will be set up but the clients behind the router in the subnet
of 10.1.13.0/24 cannot connect to the router and therefore also not connecting
to the other network. I also played around with leftsourceip for the client and
lefthostaccess but both did not changed the situation.
Here is the output of ipsec statusall:
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-39-generic, x86_64):
uptime: 22 minutes, since Sep 02 22:08:00 2015
malloc: sbrk 2433024, mmap 0, used 418432, free 2014592
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 242
loaded plugins: charon addrblock aes attr ccm cmac constraints ctr
eap-identity gcm md4 openssl pkcs12 pkcs7 pkcs8 rc2 resolve test-vectors xcbc
sha1 sha2 md5 pem pkcs1 random nonce x509 revocation hmac stroke kernel-netlink
socket-default updown
Listening IP addresses:
192.168.1.162
10.1.13.1
192.168.3.1
Connections:
Router3: %any...185.48.118.115 IKEv2
Router3: local: [router] uses pre-shared key authentication
Router3: remote: [serverside] uses pre-shared key authentication
Router3: child: 10.1.13.0/24 === 10.1.0.0/16 TUNNEL
passthrough: %any...%any IKEv2
passthrough: local: uses public key authentication
passthrough: remote: uses public key authentication
passthrough: child: 10.1.13.0/24 === 10.1.13.0/24 PASS
Shunted Connections:
passthrough: 10.1.13.0/24 === 10.1.13.0/24 PASS
Security Associations (1 up, 0 connecting):
Router3[733]: ESTABLISHED 9 seconds ago,
192.168.1.162[router]…185.48.118.115[serverside]
Router3[733]: IKEv2 SPIs: 05ffa0afc04432df_i* 5d4055a12121b030_r,
pre-shared key reauthentication in 7 seconds
Router3[733]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Router3{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c9b05f98_i c1028cf3_o
Router3{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8
minutes
Router3{1}: 10.1.13.0/24 === 10.1.0.0/16
If I compare that to the output from the test examples
(https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html
<https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html>
and
https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html
<https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html>)
they look nearly the same. But I actually cannot figure out why I cannot
connect to 10.1.13.1
So is there a bug around or do I overlook something in my configuration.
Thanks in advance!
Kind regards
Christian
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
