Re: [strongSwan] Ipsec routing / policy when leftside is part of rideside network

Sat, 04 Jul 2009 06:59:05 -0700 

So now it works ;-)

I have done the following steps;

1.) I have add your "conn" to my ipsec.conf.
    conn pass
      leftsubnet=172.16.0.16/29
      rightsubnet=172.16.0.16/29
      left=%defaultroute
      right=a.b.c.d
      type=passthrough
      authby=never
      auto=route

2.) I have add routing entries, see the console output under 
    http://www.strongswan.org/uml/testresults42/ikev1/passthrough/console.log
    ip rule add pref 50 table 50
    ip route add 172.16.0.16/29 via 172.16.0.17 table 50

Now when I start ipsec, the ping on the local network works!

Thanks!

regards
Andreas Ascheneller

-----Ursprüngliche Nachricht-----
Von: Daniel Mentz [mailto:danielml+mailinglists.strongs...@sent.com] 
Gesendet: Samstag, 4. Juli 2009 03:28
An: Andreas Ascheneller
Cc: users@lists.strongswan.org
Betreff: Re: [strongSwan] Ipsec routing / policy when leftside is part of 
rideside network

Please refer to Andreas' mail which you can find on

https://lists.strongswan.org/pipermail/users/2007-June/001874.html

This e-mail describes a very similar problem. You probably have to add 
something like the following to your ipsec.conf:

conn pass
         leftsubnet=172.16.0.16/29
         rightsubnet=172.16.0.16/29
         left=%defaultroute
         right=a.b.c.d
         type=passthrough
         authby=never
         auto=route

Let us know if this solves your problem.
If the problem persists then please post your ipsec.conf and also the 
output of the following command:

ip xfrm policy

Btw: The problem is not located in the routing table but in the 
so-called Security Policy Database which determines which IP packets 
IPsec should be applied to. The connection description above adds an 
exception for local traffic.

-Daniel


Andreas Ascheneller wrote:
> Hello!
> 
> I will create a VPN based on Strongswan. The IP-Range of the VPN is
> 172.16.0.0/22.
> No I have separate this big IP-Range in smaller range with the netmask
> /29 like that;
> 
> 172.16.0.0/29 ==== Central VPN Gateway ==== 172.16.0.8/29
>                            ||
>                       172.16.0.16/29
> 
> and so on...
> 
> Now when I start the ipsec connection, Strongwan routes the local
> network packages through the ipsec tunnel.
> I think the problem is that the leftsubnet is a part of the rightsubnet.
> 
> Is there a way to do that with the routing table or so?
> 
> I use a analog solution with openswan - that works.
> 
> 
> regards
> Andreas Ascheneller
> 

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to