[Swan] Cannot ping the other end
Paul Wouters
paul at nohats.ca
Fri Jan 20 04:33:51 UTC 2017
On Thu, 19 Jan 2017, Xinwei Hong wrote:
> Thank you very much. After I enable IP forwarding and add sourceip, things
> are working now. The send_redirects/accept_redirects seems does not matter.
> Regarding sourceip, you mentioned.
> "Of course, if the IPsec server is just routing the entire /24 elsewhere,
> this does not apply."
> In my case, I do want route the entire /24 to remote. Can you confirm,
> sourceip is required even in this case?
the sourceip is required only if you want the ipsec gateway itself
to talk to the remote subnet. Then it needs to be convinced to use
the internal instead of external ip. If you are just routing it to
another machine, then if you want to reach the remote subnet on
the ipsec server, you would need another tunnel definition from the
ipsec server itself to the remote subnet. So you would add it
without leftsubnet= so that it is a tunnel from "left" to "rightsubnet"
> Last time, when I set up VTI support, sourceip seems was not required.
Yes. With VTI, routes are used to determine what gets encrypted, and
a route for the remote subnet in the VTI interface causes the
encryption to happen. Of course, the tunnel policy still needs to
include the src/dst IP combo, but often VTI tunnels use subnets of
0.0.0.0/0 so anything routed into it will just work.
Paul
More information about the Swan
mailing list