Replies: 1 comment 4 replies
-
Difficult to say. It doesn't seem like it's the strongSwan config but more the routing/firewall/whatever config of your hosts (gateway A in particular). Maybe some type of NAT? |
Beta Was this translation helpful? Give feedback.
4 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am setting up site-to-site tunnel between two LANs (LAN A: 192.168.0.0/24 and LAN B: 192.168.2.0/24) as per following example: [https://www.strongswan.org/testing/testresults/ikev2/net2net-cert/].
I am using pw-strongswan docker latest release. (however issue remains same with non-pqc strongswan with
I have setup gateways for these LANs on two ubuntu 20.04 Computers, say Gateway-A and Gateway-B (with IPs 192.168.0.1 and 192.168.2.1 respectively used as gateway for above LANs). I have connected Gateway A and B in another LAN with IPs 192.168.47.198 and 192.168.47.199 respectively.
I am able to setup tunnel between these two LANs and SA status shows INSTALLED.
When I send ping command (or access webserver in LAN B) from any device in LAN A or from Gateway A to any device in LAN B or to Gateway B, there is no ESP packet seen in wireshark captures on both gateways. Only plain protocol packets are seen in wireshark.
But when I send ping command (or access webserver in LAN A) from any device in LAN B or from Gateway B to any device in LAN A or to Gateway A, ESP packets are seen in wireshark captures on both gateways.
However communication link is established between these two LANs in both directions i.e. any device in LAN A can access any device in LAN B and vice versa, when tunnel is established. And this communication link is lost when ipsec tunnel is terminated. (as expected)
Only issue remains is traffic is encrypted for LAN B devices but not LAN A devices as mentioned before.
What is wrong with my configuration?
I am attaching config files and logs for more details:
swanctl.conf_gatewayA.txt
swanctl.conf_gatewayB.txt
strongswan.conf.txt
docker-compose.yml_gatewayA.txt
docker-compose.yml_gatewayB.txt
gatewayA_log.txt
Added routes:
on gateway A:
192.168.47.0/24 dev enxac15a2985d7e proto kernel scope link src 192.168.47.198 metric 101
and Reverse route on Gateway B.
Iptables on both gateways have FORWARD chain default policy as ACCEPT.
Beta Was this translation helpful? Give feedback.
All reactions