From owner-freebsd-questions@freebsd.org Tue Jan 19 10:34:59 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 247B34EF2B7 for ; Tue, 19 Jan 2021 10:34:59 +0000 (UTC) (envelope-from simplerezo@gmail.com) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DKlQp41sBz3F4p for ; Tue, 19 Jan 2021 10:34:58 +0000 (UTC) (envelope-from simplerezo@gmail.com) Received: by mail-lf1-x130.google.com with SMTP id v24so21728668lfr.7 for ; Tue, 19 Jan 2021 02:34:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=j/ub5BZdMbpOehtUNSLxW9aFsTrqOE9g9OtZkAvlca4=; b=uHUivtP4Ftp775MF6TJuecDEDDlqKLdzPnVQz54Cv0X4nCMZbdDlTSp76BW3tTdDFO BsV9jQF15z2itHb6YfevpxUovNsr1Yz70PkGub5nXXnIt8z9p8Oz2PcK5Dp2Jhry0Lq6 03Ke0RN1uHjzAU7vresFGcRod9rR/jBPT3mfAv4xtsQ8hU4VdaazVAD+/rK/WO2ff/cR 5gokR0nMj8lBL09PGsdozKPSpxSPtjLLj1DL3DliTuZBVgC1Tygxd1wwoua36SV/0XIB Nf3DnKusGQgjhFD5JjNLHoEeifIfX/cZYwyd/806hq6SjhJqXCEnpVv7o4SjlnxwYJA8 tL2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=j/ub5BZdMbpOehtUNSLxW9aFsTrqOE9g9OtZkAvlca4=; b=A1bEZZEtICiIwBi41EjQSxtp74ZJu4b3q43vPXPx8UH81duJfSsVIMFcksc4p5iZSS rFtIdu3rHdkVxavO2ZPeQRJXyfVogK0jNxxiMKiDHUdpqTwhFDSaRpoudzqojKFiY8pY yZDXSZdL0yK0oYzJccTQOrg/aDRMvAMXkWzAUa21euBYstHrNBYcLPwOxAPFceRtPuQo 8DOozgzpd81MVphu/cfgIeoSHOPWxcXgowREkaOiFvBoF6aP6ONND2KR9T3Tuw51ZWC8 zEZ44VvcM66GcylYAG27fzojlGqUbBshQnmpvKlWM0zHS9dw2P7acgZAhmbHr+QGC4Ek 9LxA== X-Gm-Message-State: AOAM5339Erl34AILD1jMh4Yiugzpu7lFOPJNDXe5HhaJW+vhW7sSTxKI SUV64gQLMT6BVuDPEZhC3NZ6btfz8qam0/5J+tix3WLrpcI= X-Google-Smtp-Source: ABdhPJyif/1o3eqLw2hVr4OtsQQd1jSeVAO//xyXX53d12xQDLziy2V3XltyLvosmX22YWAHvOe3Hj4ZbSWK7B/DZiI= X-Received: by 2002:ac2:52a6:: with SMTP id r6mr1502906lfm.255.1611052496419; Tue, 19 Jan 2021 02:34:56 -0800 (PST) MIME-Version: 1.0 Sender: clement.moulin@gmail.com X-Google-Sender-Delegation: clement.moulin@gmail.com From: Support SimpleRezo Date: Tue, 19 Jan 2021 11:34:44 +0100 X-Google-Sender-Auth: TzzZbIU4aEgbe-WlzVdi4i6pGOE Message-ID: Subject: StrongSWAN VPN tunnel: working, but peers cannot reach remote network To: freebsd-questions@freebsd.org X-Rspamd-Queue-Id: 4DKlQp41sBz3F4p X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=uHUivtP4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of simplerezo@gmail.com designates 2a00:1450:4864:20::130 as permitted sender) smtp.mailfrom=simplerezo@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::130:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::130:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::130:from]; HTTP_TO_IP(1.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2021 10:34:59 -0000 Hi I have setup a StrongSWAN VPN IPsec tunnel between two hosts: [LAN_A] => [HOST_A][PUBLIC_IP_A] <=> [PUBLIC_IP_B][HOST_B][LAN_B] LAN_A: 192.168.1.0/24 LAN_B: 192.168.6.0/24 HOST_A route: 192.168.6.0/24 gw PUBLIC_IP_A It's working: every hosts on LAN_A can reach LAN_B hosts and vice-versa. But, on the hosts running StrongSWAN, I cannot reach remote LAN EXCEPT if I specify the source address of LAN. host_A# ping 192.168.6.1 (no answer) host_A# ping -S 192.168.1.254 192.168.6.1 (works) That's seems logic to me, because by default packet sent to remote LAN are using the route LAN_B gateway IP_PUBLIC_A, so kernel is using IP_PUBLIC_A as source (checks by tcpdump). What I need to setup to be able to reach the remote LAN from each peer without specifying source IP address ? Thanks for you help -- Clement SimpleRezo