0

I have a Strongswan IPSec configuration which used to work and I do not know what changed, but my Gateway machine (responder) doesn't create a route to the initiator (the initiator gets ip 172.13.14.2)

I can create a static route to the 172.13.14.0/24 net every time I reestablish a connection, but I want to know how can I fix this.

The responder(gateway) config:

connections {
   ch_vti0 {
      send_cert = always
      encap = yes
      pools = pools_users
      #aggressive = yes
      local {
         round = 1
         id = 10.3.218.62
         auth = pubkey
         certs = xxxxxxxxxxxserver.pem
       }
      remote {
         auth = pubkey
         id = %any
         certs = xxxxxxxxxxxxxclient.pem, xxxxxxxxxxxxtester.pem
       }
      children {
        ch_vti0 { 
            local_ts = 192.168.122.2/24
            remote_ts = dynamic
            inactivity = 1800s
            mode = tunnel
            esp_proposals = aes256-sha1-modp1536, aes256-sha1-modp4096, aes256-sha1-ecp384
         }
      }
      version = 0
      proposals = aes192-sha512-modp1024, aes192-sha512-ecp256bp, aes192-sha512-ecp384bp
   }  }
pools {
        pools_users {
                addrs = 172.13.14.2/24
        }
}
secrets {
        xauth-ucpe {
        id = test1
        secret = password
        }
        xauth-tester {
        id = test2
        secret = password
        }
        ike-sec {
        id = %any
        secret = test
        }
        ike-local {
        id = 10.3.218.62
        secret = test
        }
}

As far as I know the responder creates a route using the configuration it has received from the pools { addrs }, but it no longer works. I'm using strongSwan swanctl 5.6.2

What is my configuration missing, so that no route is created ? Any suggestions are welcomed.

Kostadin Krushkov
  • 145
  • 1
  • 3
  • 8
  • How do you check it? Strongswan uses a separate routing table (220 by default). So you should use `ip route list table 220` to check it. – Anton Danilov Sep 30 '19 at 07:10
  • The ipsec table 220 is empty. I have checked `route -n` and `ipsec show table all` No route is added. – Kostadin Krushkov Sep 30 '19 at 07:15
  • 1
    Maybe you disabled route installation (_charon.install_routes_ in strongswan.conf), or there is some other issue that prevents the route installation (read the log). – ecdsa Sep 30 '19 at 10:41
  • Yes..That was the problem, I don't know he it got changed. Thank you very much – Kostadin Krushkov Sep 30 '19 at 11:24

0 Answers0