[Swan] ipsec SA's up, no traffic routed?
Paul Wouters
paul at nohats.ca
Tue May 10 15:45:12 UTC 2016
On Tue, 10 May 2016, Frank wrote:
> I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
> SA's seem up.
>
> I can't get traffic to the other side (host on 192.168.211.2 or .12):
>
> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
>
> ping 192.168.211.2
> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
Oddly this used your public ip as source, instead of the one you
specified with leftsourceip=192.168.1.2
does ping -I 192.168.1.2 192.168.211.2 work?
> ip route:
> default via xxx.xxx.39.78 dev eth4
> 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
> 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2
> 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.2
> 192.168.211.0/24 dev eth4 scope link src 192.168.1.2
It's there, so why is ping using the wrong source ip?
Paul
More information about the Swan
mailing list