Hello, I'm having trouble routing packets between two servers on different subnets connected via an ipsec tunnel established using strongSwan VPN. There is also a firewall configured on each server.
In addition to the public ip interface used to connect the two servers, each server also acts as a secure gateway to a private network behind it. When the two servers are on the same subnet, I'm able to ping the private network of the remote server. However, when the two servers are on different subnets, I cannot ping the remote private subnets - pinging the public ip of the remote server works fine. Note that the ipsec tunnel comes up fine however. When running traceroute with a remote private ip address, it looks like the packets are getting routed through the server's local gateway and timing out looking for the private ip address on the remote subnet (it does not appear that the firewall is dropping any packets). When the firewall is disabled, everything works fine. I'm speculating that either ipsec is not encapsulating the packets correctly (or not at all) when the firewall is up or that the firewall is modifying the packets (nat?). I'm currently using strongSwan 4.2.17 with ikev2 (which I understand does not require any manual config for nat-t). Here's an example of the local ipsec.conf assuming that 168.1.1.10 is the local server ip and 168.1.2.10 is the remote server ip: conn net-net type=tunnel keyexchange=ikev2 left=%defaultroute leftsubnet=1.2.2.32/27,1.2.3.32/27 leftcert=hostCert.pem right=168.1.2.10 rightsubnet=1.2.2.64/27,1.2.3.64/27 rightid="C=US, ST=FL, O=ABC, OU=DEF, CN=fred, e=f...@abc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start 1.2.2.32/27 -- -- 1.2.2.64/27 168.1.1.10 -- gateway:168.1.1.2 --- gateway:168.1.2.2 -- 168.1.2.10 1.2.3.32/37 -- -- 1.2.3.64/27 I'm not sure if this is a firewall or ipsec configuration issue but everything works fine when the servers are on the same subnet. Any help will be greatly appreciated. Thanks _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users