I setup a routed site-to-site IPsec VPN (IKEv2 with strongswan), but I'm having trouble with one side's routing tables. I'm using 10.13.13.0/30 for the vti interfaces.
One side runs pfsense, and it also has the subnet 192.168.42.0/24 on a different interface (LAN basically). It has a vti with the IP address 10.13.13.1. This side appears to be setup correctly.
The other side is running Debian (and is the "server" receiving the inbound connection, if that matters) and has strongswan configured with leftsubnet=0.0.0.0/0, rightsubnet=0.0.0.0/0, and mark=13, along with the following:
ip tunnel add vti0 mode vti local PUBLIC_IP remote PFSENSE_PUBLIC_IP key 13 ip link set vti0 up ip addr add 10.13.13.2/30 remote 10.13.13.1/30 dev vti0 ip route add 192.168.42.0/24 via 10.13.13.1 dev vti0
I've also tried the last command without "via 10.13.13.1".
From the pfsense side (10.13.13.1), I can ping 10.13.13.2, and vice versa. The problem comes from the routed subnet. From a device in the 192.168.42.0/24 subnet, if I try to ping 10.13.13.2, I get no response. I see the encrypted ESP traffic coming into the Debian computer on eth0, but nothing comes in on vti0. From the Debian computer (10.13.13.2), when I try to ping 192.168.42.1 (which is assigned to another interface on pfsense), I get "destination host unreachable". No traffic shows up on the local vti0 in tcpdump.
The routing table looks like it should be correct
$ ip route get 192.168.42.1 192.168.42.1 via 10.13.13.1 dev vti0 src 10.13.13.2 cache
Forwarding is enabled, and rp_filter is set to 0. iptables forward rules are set to allow (I have site-to-site openvpn connections, with different subnets, that work fine). Strongswan.conf has install_routes=0 set under charon.
I can't think of anything else I can do to narrow down the cause. It looks as though despite the proper route being there, that it's failing for some reason. Does anyone know what I might be missing?
No comments:
Post a Comment