Ok, this should be an easy one, but its driving me nuts.
Scenario:
Site A (San Francisco)
Site B (Colombia)
Both sites are connected successfully via IPSec (openswan, debian 8):
SiteA—————SiteB
10.2.0.1 <==inet==> 10.3.0.1
I can successfully PING 10.3.0.1 from SiteA…. also, 10 phone extensions in the 10.3.0.0 subnet connect to SiteA. Sweet, no problem.
However please note 10.3.0.1 IS NOT LISTED as a route anywhere under the SiteA's kernel routing table, but If i do a ping from 10.2.0.1, it works.
THE PROBLEM:
Ok. I just added a SIP router 10.11.208.93 in SiteB. SiteA needs to be 10.11.208.94 and has to be able to reach 10.11.208.93 via 10.3.0.1. I have added this bridge successfully on 10.3.0.1 in SiteB.
When i try to create the static route to the SIP router via 10.3.0.1 in SiteA, the route command says the host is not reachable. But i can ping 10.3.0.1 from SiteA.
ip route add -net 10.11.208.92/30 via 10.3.0.1
SIOADDR: Host unreachable
Question is: where/how the hell is strongswan(ipsec) configuring linux routing table to reach 10.3.0.1 via the tunnel ??? it doesn't show on the routing table.
If i can ping 10.3.0.1, why canĀ“t i use it as a route to reach a subnet behind it, having a working tunnel already?
Best Answer
strongSwan installs routes in routing table 220 by default. You can see these with
ip route list table 220.Adding a route won't get your traffic tunneled though. IPsec is policy based (you can see these with
ip xfrm policy), so if you have an IPsec policy that allows traffic between e.g. 10.2.0.0/16 and 10.3.0.0/16 only matching traffic is actually tunneled. Which is not the case for packets sent from 10.11.208.94 to 10.11.208.93. Therefore, you have to explicitly add a tunnel that covers these IPs.