Hi Mirko, Thanks for the reply. Please see my reply inline [Sarat]
Regards, Sarat On Mon, Jul 25, 2016 at 6:39 PM, Mirko Parthey <[email protected]> wrote: > On Mon, Jul 25, 2016 at 03:25:24PM +0530, Sarat Vajrapu wrote: > > Hi Mirko, > > > > Thanks for the reply. > > I created loopback interface on each gateway and below is the required > info: > > [...] > > Hi Sarat, > > Thank you for posting your configuration. > > Please take a look at this example: > https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/ > It could be a starting point for you to arrive at a working setup. > > But it may not work in your environment because you have an unusual > network configuration, which we need to understand first. > That's why I would like to ask you a few more questions. > > Where would the machine with IP address 10.1.1.1 be located in your > diagram? > [Sarat]: This is not a public deployed network. I am trying to test the behavior in my local lab setup. 10.1.1.1 acts as a middle router. > I don't see any public IP addresses on your gateways, how do they connect > to the internet? > [Sarat]: This is only a lab setup. > When a host on LAN1 communicates with the public internet in cleartext, > is this traffic guaranteed to go through Gateway A? > [Sarat]: Ideally, GW_A would have the public IP address and yes all the traffic from LAN1 would go through Gateway A only. > How about communication from LAN1 to LAN2, is it guaranteed to go through > Gateway A? > [Sarat]: Yes > Do these kinds of traffic enter and leave Gateway A through the same > interface, br_if? [Sarat]: Yes > > > LAN<> can have many subnets. > Are there any routers between LAN1 and Gateway A, > or between LAN2 and Gateway B? > Can you provide examples of the IP address ranges used in LAN1 and LAN2? > [Sarat]: In my case, I really don't want to care about LAN IP addresses. I want all traffic going through GW_x to be encrypted/decrypted. > > Please provide the output of: > # ip address show > # ip route list > for gateways A and B and for an example host each on LAN1 and LAN2. > [Sarat]: GW_A:~# ip route list default via 10.1.1.1 dev br_if 2.2.2.2 via 10.1.1.218 dev br_if proto static 10.1.1.0/24 dev br_if proto kernel scope link src 10.1.1.216 10.1.1.218 via 10.1.1.218 dev br_if proto static src 10.1.1.216 GW_B:~# ip route list default via 10.1.1.1 dev br_if 1.1.1.1 via 10.1.1.216 dev br_if proto static 10.1.1.0/24 dev br_if proto kernel scope link src 10.1.1.218 10.1.1.216 via 10.1.1.216 dev br_if proto static src 10.1.1.218 Since this is a lab setup, I configured IP address for br_if and loopback only. > > > GW_A#ping -I 1.1.1.1 2.2.2.2 > > PING 2.2.2.2 (2.2.2.2) from 1.1.1.1 : 56(84) bytes of data. > > 64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=1.42 ms > > 64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=0.257 ms > > 64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=0.271 ms > > For testing your tunnel, please use hosts on LAN1 and LAN2 separate from > your gateways. > This ensures you test what you intended and not something else. > > [Sarat]: I can give a try but want to understand if the behavior be different from loopback setup. The traffic between loopbacks also go from GW_A only. > If you don't need the 1.1.1.1 and 2.2.2.2 addresses for other purposes, > please remove them and restore your previous loopback config. > [Sarat]: This is only a lab setup. > > Regards, > Mirko >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
