[Swan] Cannot ping the other end
Xinwei Hong
xhong at skytap.com
Fri Jan 20 06:28:15 UTC 2017
Thank you so much. Just double checked, I got all expected results as what
you mentioned here. It all makes sense now.
Thanks,
Xinwei
On Thu, Jan 19, 2017 at 8:33 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 19 Jan 2017, Xinwei Hong wrote:
>
> Thank you very much. After I enable IP forwarding and add sourceip, things
>> are working now. The send_redirects/accept_redirects seems does not
>> matter.
>> Regarding sourceip, you mentioned.
>> "Of course, if the IPsec server is just routing the entire /24 elsewhere,
>> this does not apply."
>> In my case, I do want route the entire /24 to remote. Can you confirm,
>> sourceip is required even in this case?
>>
>
> the sourceip is required only if you want the ipsec gateway itself
> to talk to the remote subnet. Then it needs to be convinced to use
> the internal instead of external ip. If you are just routing it to
> another machine, then if you want to reach the remote subnet on
> the ipsec server, you would need another tunnel definition from the
> ipsec server itself to the remote subnet. So you would add it
> without leftsubnet= so that it is a tunnel from "left" to "rightsubnet"
>
> Last time, when I set up VTI support, sourceip seems was not required.
>>
>
> Yes. With VTI, routes are used to determine what gets encrypted, and
> a route for the remote subnet in the VTI interface causes the
> encryption to happen. Of course, the tunnel policy still needs to
> include the src/dst IP combo, but often VTI tunnels use subnets of
> 0.0.0.0/0 so anything routed into it will just work.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170119/0c75540d/attachment-0001.html>
More information about the Swan
mailing list