0

I'm trying to implement a strongswan solution for a site to site tunnel between me and a third party vendor. My tunnel establishes fine between myself and the vendor however I am wondering if this is the correct way of doing this?

When I attempt to telnet to a specific port/host on the remote end I don't see any traffic hit the tunnel or my counters increase. I think I just may need a suggestion or two on how to diagnose.

I have two hosts that I control, 1.1.1.1 and 1.1.1.2 (same subnet and also external IPs). There's no nat involved.

1.1.1.1 is my strongswan server

1.1.1.2 is sending the interesting traffic. This has a static route for 5.5.5.5/27 that points to 1.1.1.1

5.5.5.5/27 is the third party

My strongswan server:

# cat /etc/sysctl.conf | grep forward
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

config setup
    # strictcrlpolicy=yes
    # uniqueids = no

conn %default
    ikelifetime=1440m
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=secret

conn vendor
    left=1.1.1.1                  #strongswan outside address
    leftsubnet=1.1.1.2/32         #network behind strongswan
    leftid=1.1.1.1                #IKEID sent by strongswan
    right=5.5.5.5                 #IOS outside address
    rightsubnet=5.5.5.5/27        #network behind IOS
    rightid=5.5.5.5               #IKEID sent by IOS
    auto=add
    ike=3des-sha1-modp1024            #P1
    esp=3des-sha1                     #P2

and my server (1.1.1.2) that is sending traffic.

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
5.5.5.5          1.1.1.1     255.255.255.224 UG        0 0          0 eth0

IP 

# ip xfrm policy
src 5.5.5.5/27 dst 1.1.1.2/32
dir fwd priority 2839 ptype main
tmpl src 5.5.5.5 dst 1.1.1.1
    proto esp reqid 1 mode tunnel
src 5.5.5.5/27 dst 1.1.1.2/32
dir in priority 2839 ptype main
tmpl src 5.5.5.5 dst 1.1.1.1
    proto esp reqid 1 mode tunnel
src 1.1.1.2/32 dst 5.5.5.5/27
dir out priority 2839 ptype main
tmpl src 1.1.1.1 dst 5.5.5.5
    proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
Flipped
  • 11
  • 1
  • Please [avoid using IP addresses which belong to others](http://meta.serverfault.com/q/963/126632). – Michael Hampton Nov 24 '14 at 23:07
  • Do you use telnet on your server or the VPN gateway? How do you check if traffic hits the tunnel? What counters are you referring to? – ecdsa Nov 25 '14 at 09:41

0 Answers0