-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > After further experiments (without TRACE yet though) the issue seems to > always occur when rightsubnet=0.0.0.0/0. With same configuration in place: > > charon.install_routes=no Not recommended to do that, unless you know what you're doing - which you probably don't. > > leftupdown script populating routing table and iptables chains: > > iptables -t nat -I POSTROUTING -d A,B -j SNAT --to-source $PLUTO_MY_SOURCEIP > iptables -t nat -I POSTROUTING -o wan -m policy --dir out --pol ipsec -j > ACCEPT > ip route add A dev wan proto static scope global src $PLUTO_MY_SOURCEIP table > 220 > ip route add B dev wan proto static scope global src $PLUTO_MY_SOURCEIP table > 220 > > switching between rightsubnet=0.0.0.0/0 and rightsubnet=A either results in > hanging connections (occasionally) or works fine. Connection is always > tested between C and A. That's not surprising, considering it's a POLICY based VPN, not a ROUTE based one. Just fix the MTU and MSS and it should work. If you use rightsubnet=0.0.0.0/0, all the traffic will be tunneled (independent of the destination, unless you have any passthrough policies that except traffic).
- -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWdZ34AAoJEDg5KY9j7GZYS48QAIKqSfzaLfDTt27+k+vgMVpG Zi6X/p150FZC7hpUOp/whu7Eod/aVGHInKCkgblMTCE6kBExnqFIhM6TljDYzx/2 ChSxuBpf+GYkoMMprvF7hlmFIMkWirJusE6WTtiaYC2cp0nrr+7+WpzfV9ZKhU0Z P/70tE3sS7kqQBNPHUlNQLNRhQNlYO7UtBJZJZD+3Y2CK0CKvB/VxyS+nv1Pu2Y0 d/z0eRZGBQJR42XPguYHeLrBtIMIVLntGhpQ+4C+nCsjTxTuA7riXmFZShp3cBd8 wBXFJ82vmBVTNIVe8o86bopPOUT9ITMGuFakVoR9zHWqachJi0RvB4r6mvSnsmE8 c26UnVfNsMB1RmtRMnO/L8E5yNXUZmwA9DKbfXiA47adkgwelZrIouAq9tGCJusd jOYjvQun6E+G7FK8YC7O+Xz/IM2bWmlUcMGO0LoT/h5/D3cb7WXMXi+ASzPbYEU6 d7hDOHJ4my6HKvR+xqQhDFQ1ZEcoh5d0Hy5Bau7EgzYeoCFaIUawYJdUUa1ZnEG4 R+K15dFer6JjPYAkXwVCfz91mYIZhg3eY/wD94Rb6Fa5uSiN6z4rXE8me7jNrxgu 027+5VPxlj6YIYhTGoDXiMp6zkOy+3Ae4uNkE4pb+/QRAG3PA4HoqwNb2wfvJadO 4aE/fKBxxNrn0VGmdN8y =IbUG -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
