Hello Noel,
Thanks for your quick answer.
FlexVPN uses either bare IPSec or gre tunnels.
The cool thing is the auto-configuration functionnalties : dynamic
addressing and routing is managed by the server and passed to the client
through IKEv2 messages. Clients may have the same configuration (DHCP
for the underlay and vips for overlay).
It look likes a road-warrior architecture, but with point to point
interfaces on the server side, which are easier to manage (AAA and
Radius integration, QoS, filtering, ...)
Until now i have only used bare ipsec encapsulation, but i will follow
your advice and try to use gre interfaces on top of the vip.
Philippe
Le 14/02/2020 à 16:06, Noel Kuntze a écrit :
Hello Philippe,
I'm not using any Cisco gear or FlexVPN, but is it supposed to use bare IPsec
or not a GRE tunnel wrapped in an IPsec tunnel?
If the latter is the case, just build a gre tunnel with the local endpoint
being the VIP, that should then work.
Otherwise (if it's supposed to be a bare IPsec tunnel) I propose asking the
remote peer for logs and instructions on how exactly it is supposed to work.
Kind regards
Noel
Am 14.02.20 um 14:50 schrieb Philippe JOUNIN:
Hello,
I am trying to connect a Linux/Strongswan box to a Cisco router using
- dynamic VTI with IKEv2 on the Cisco (aka flexVPN)
- routed based VPN on the Linux on a tunnel interface named ipsec0 which
receives a dynamic virtual address
The ipsec tunnel is correctly established and the vips address is correctly
assigned by the Cisco, transferred by IKEv2 and assigned to the ipsec0
interface.
However only the traffic sourced by the ipsec0 address is routed through the tunnel. All
other traffic is filtered out with a "NoRoute" error before entering in the
tunnel.
As explained in the wiki page
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN, i have :
- enabled ip forwarding
- disabled the policy rules with sysctl -w net.ipv4.conf.ipsec0.disable_policy=1
- disabled the charon route processing.
If i use NAT to translate all outgoing traffic to the VIP address, everything
is OK, but direct routing does not enter the tunnel.
I guess the trouble is that the local selector is the /32 vips address instead
of 0.0.0.0/0.
I have tried to set local_ts to 0/0, but it is overriden by vips instruction.
Can you help me to understand what i have done wrong ?
Thanks !
----
configurations :
- Cisco configuration: https://pastebin.com/z8rjJ1hq
- Strongswan configuration (charon.conf and swanctl.conf):
https://pastebin.com/WwjYb1uP
- tunnel creation and establishment: https://pastebin.com/GCgzzuXQ
troubleshooting:
- logs and debug info : https://pastebin.com/j1nFUDa8
