Hi, The only allowed source address in your tunnel is your VIP address received from the Cisco device (172.30.0.16/32)
If you need to allow access from network 10.216.1.0/30 then SNAT it at POSTROUTING chain to your VIP address. iptables -t nat -I POSTROUTING -s 10.216.1.0/30 -j SNAT --to-source 172.30.0.16 On Fri, Feb 14, 2020 at 9:50 AM Philippe JOUNIN <[email protected]> wrote: > Hello, > > I am trying to connect a Linux/Strongswan box to a Cisco router using > - dynamic VTI with IKEv2 on the Cisco (aka flexVPN) > - routed based VPN on the Linux on a tunnel interface named ipsec0 > which receives a dynamic virtual address > > The ipsec tunnel is correctly established and the vips address is > correctly assigned by the Cisco, transferred by IKEv2 and assigned to the > ipsec0 interface. > However only the traffic sourced by the ipsec0 address is routed through > the tunnel. All other traffic is filtered out with a "NoRoute" error before > entering in the tunnel. > > As explained in the wiki page > https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i > have : > - enabled ip forwarding > - disabled the policy rules with sysctl -w > net.ipv4.conf.ipsec0.disable_policy=1 > - disabled the charon route processing. > > If i use NAT to translate all outgoing traffic to the VIP address, > everything is OK, but direct routing does not enter the tunnel. > > I guess the trouble is that the local selector is the /32 vips address > instead of 0.0.0.0/0. > I have tried to set local_ts to 0/0, but it is overriden by vips > instruction. > > Can you help me to understand what i have done wrong ? > Thanks ! > > > ---- > configurations : > - Cisco configuration: https://pastebin.com/z8rjJ1hq > - Strongswan configuration (charon.conf and swanctl.conf): > https://pastebin.com/WwjYb1uP > - tunnel creation and establishment: https://pastebin.com/GCgzzuXQ > > troubleshooting: > - logs and debug info : https://pastebin.com/j1nFUDa8 > > > > >
