Hi Tica,
Hi strongSwan core developers,

I just tried this kind of set up and it worked for me (although the 
setup was a bit tricky).

Could you please provide us with more information regarding your setup. 
Please post the following files:

ipsec.conf

Post the output of the following commands as well:

ip xfrm policy

ip route show table 0

A network diagram would be useful as well.

There's one question I would like to ask people on this list including 
the strongSwan core developers: I'm trying to setup a road warrior to 
pass all traffic (0.0.0.0/0) through the VPN tunnel. Only local traffic 
should be excluded. I'm using

http://www.strongswan.org/uml/testresults43/ikev1/passthrough/

as a basis.
In my setup the virtual IP address of the rw used inside the tunnel is 
different from the physical IP address in the local subnet.

strongSwan inserts routing entries in the table 220.

0.0.0.0/1 via 192.168.10.2 dev eth0  src 10.33.44.1
128.0.0.0/1 via 192.168.10.2 dev eth0  src 10.33.44.1

10.33.44.1 is the virtual IP address inside the tunnel. Linux chooses 
this IP address as the source address for *local* traffic, too. But it 
shouldn't do that in my setup. I need linux to choose 192.168.10.78 as 
the source address for *local* traffic because that's the IP address of 
the interface.

Routing table 220 has higher priority than the routing table "main". 
Because of that the routing table entry

128.0.0.0/1 via 192.168.10.2 dev eth0  src 10.33.44.1

takes precedence over the correct routing table entry in table "main" 
for local traffic.

What I ended up doing is to duplicate the routing table entry for local 
traffic and to insert it into table 220.

192.168.10.0/24 dev eth0  scope link
0.0.0.0/1 via 192.168.10.2 dev eth0  src 10.33.44.1
128.0.0.0/1 via 192.168.10.2 dev eth0  src 10.33.44.1

Does anybody know of a more elegant way to do that.

For the sake of completeness here's the data of the local NIC.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP qlen 1000
     inet 192.168.10.78/24 brd 192.168.10.255 scope global eth0
     inet 10.33.44.1/32 scope global eth0


Thanks & Regards
  Daniel

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to