Hello Philippe, I'm not using any Cisco gear or FlexVPN, but is it supposed to use bare IPsec or not a GRE tunnel wrapped in an IPsec tunnel? If the latter is the case, just build a gre tunnel with the local endpoint being the VIP, that should then work. Otherwise (if it's supposed to be a bare IPsec tunnel) I propose asking the remote peer for logs and instructions on how exactly it is supposed to work.
Kind regards Noel Am 14.02.20 um 14:50 schrieb Philippe JOUNIN: > Hello, > > I am trying to connect a Linux/Strongswan box to a Cisco router using > - dynamic VTI with IKEv2 on the Cisco (aka flexVPN) > - routed based VPN on the Linux on a tunnel interface named ipsec0 which > receives a dynamic virtual address > > The ipsec tunnel is correctly established and the vips address is correctly > assigned by the Cisco, transferred by IKEv2 and assigned to the ipsec0 > interface. > However only the traffic sourced by the ipsec0 address is routed through the > tunnel. All other traffic is filtered out with a "NoRoute" error before > entering in the tunnel. > > As explained in the wiki page > https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i have : > - enabled ip forwarding > - disabled the policy rules with sysctl -w > net.ipv4.conf.ipsec0.disable_policy=1 > - disabled the charon route processing. > > If i use NAT to translate all outgoing traffic to the VIP address, everything > is OK, but direct routing does not enter the tunnel. > > I guess the trouble is that the local selector is the /32 vips address > instead of 0.0.0.0/0. > I have tried to set local_ts to 0/0, but it is overriden by vips instruction. > > Can you help me to understand what i have done wrong ? > Thanks ! > > > ---- > configurations : > - Cisco configuration: https://pastebin.com/z8rjJ1hq > - Strongswan configuration (charon.conf and swanctl.conf): > https://pastebin.com/WwjYb1uP > - tunnel creation and establishment: https://pastebin.com/GCgzzuXQ > > troubleshooting: > - logs and debug info : https://pastebin.com/j1nFUDa8 > > > >
signature.asc
Description: OpenPGP digital signature