[strongSwan] ipsec/firewall issue - different subnets

Sat, 19 Dec 2009 10:31:26 -0800 

Hello,

I'm having trouble routing packets between two servers on different subnets 
connected via an ipsec tunnel established using strongSwan VPN. There is also a 
firewall configured on each server.

In addition to the public ip interface used to connect the two servers, each 
server also acts as a secure gateway to a private network behind it. When the 
two servers are on the same subnet, I'm able to ping the private network of the 
remote server. However, when the two servers are on different subnets, I cannot 
ping the remote private subnets - pinging the public ip of the remote server 
works fine. Note that the ipsec tunnel comes up fine however.

When running traceroute with a remote private ip address, it looks like the 
packets are getting routed through the server's local gateway and timing out 
looking for the private ip address on the remote subnet (it does not appear 
that the firewall is dropping any packets). When the firewall is disabled, 
everything works fine. I'm speculating that either ipsec is not encapsulating 
the packets correctly (or not at all) when the firewall is up or that the 
firewall is modifying the packets (nat?). I'm currently using strongSwan 4.2.17 
with ikev2 (which I understand does not require any manual config for nat-t). 
Here's an example of the local ipsec.conf assuming that 168.1.1.10 is the local 
server ip and 168.1.2.10 is the remote server ip:

conn net-net
   type=tunnel
   keyexchange=ikev2
   left=%defaultroute
   leftsubnet=1.2.2.32/27,1.2.3.32/27
   leftcert=hostCert.pem
   right=168.1.2.10
   rightsubnet=1.2.2.64/27,1.2.3.64/27
   rightid="C=US, ST=FL, O=ABC, OU=DEF, CN=fred, e=f...@abc.com"
   ike=3des-sha256-modp2048
   esp=aes256-sha256
   auto=start


1.2.2.32/27 
--                                                                                           
 -- 1.2.2.64/27
                168.1.1.10 -- gateway:168.1.1.2 --- gateway:168.1.2.2 -- 
168.1.2.10 
1.2.3.32/37 
--                                                                                          
 -- 1.2.3.64/27

I'm not sure if this is a firewall or ipsec configuration issue but everything 
works fine when the servers are on the same subnet.

Any help will be greatly appreciated. 

Thanks



      
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to