[Swan] Use of nexthop setting

Tuomo Soini tis at foobar.fi
Sat Oct 24 09:10:34 UTC 2020

On Tue, 22 Sep 2020 23:47:56 +0000
"Scott A. Wozny" <sawozny at hotmail.com> wrote:

> In my testing setup I have a pair of VPN systems, each with an
> VPNExternal interface (ens8), a VPNInternal (ens9) interface and a
> management interface (eth0) which is the default gateway for each
> machine. Each machine is connected to a test firewall and those
> firewalls are connected together with a pretend “Internet” segment.

That is not Internet segment if default route doesn't go there. 

> I would like to have the isakmp and ipsec-nat-t traffic bound for the
> peer gateway travel out the interface identified as left on each
> machine, rather than out the default gateway as directed by the
> routing table. I thought this was the purpose of leftnexthop, but
> when I set it to the IP of the firewall’s address on the VPNExternal
> interface, traffic still goes to the default gateway whose interface
> on the firewall is NOT configured to pass this traffic and the tunnel
> does not come up.

Your IPsec peers must be able to communicate without IPsec for
everything to work. If I read your routing tables correctly you are
missing route to remote via correct interface at the beginning. Usually
that is default route but it can be just route to remote endpoint via
correct gateway. Nexthop doesn't help if you don't have basic routing
working so that you can make peers communicate without IPsec.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan mailing list