'Re: [strongSwan] remote peer IP falls into crypto domain right subnet'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] remote peer IP falls into crypto domain right subnet
From:       Noel Kuntze <noel.kuntze+strongswan-users-ml () thermi ! consulting>
Date:       2018-09-28 16:49:55
Message-ID: cb0bf346-5a58-0226-fa53-198c7b22126e () thermi ! consulting
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hello,

Just use a passthrough policy, if you use a policy based IPsec tunnel.

Kind regards

Noel

Am 26.09.18 um 22:17 schrieb Phil Frost:
> There are other possible solutions, but my inclination would be to run =
strongswan and any other VPN related services in a distinct network names=
pace. This would not only address your issue, but it also prevents accide=
ntally "crossing the streams" between the VPN and other public networks t=
o which the host is attached. A common issue is the IKE daemon fails to s=
tart or is misconfigured, and so the policies that normally encrypt traff=
ic on egress don't get installed, and traffic that should have been encry=
pted is leaked on a public interface.
>
> https://vincent.bernat.ch/en/blog/2017-route-based-vpn=C2=A0is a tutori=
al I've found helpful in the past. It covers BGP and a lot of other thing=
s beyond your particular problem, but maybe ignoring those parts you may =
still find it useful.
>
> On Wed, Sep 26, 2018 at 3:01 PM Doug Tucker <doug.tucker@newscycle.com =
<mailto:doug.tucker@newscycle.com>> wrote:
>
>     I've done some searching and am not finding any info on this.=C2=A0=
 We had a client who wanted to offer a /16 as his right subnet and his ou=
tside peer IP of his ASA fell into the /16 they were offering.=C2=A0 With=
 a cisco ASA this is a non issue as in this type of scenario cisco exempt=
s out that single IP from the routing table but with strongswan 5.6.3 it =
appears to not do so by default and caused some odd routing anomalies to =
this IP.=C2=A0 Does anyone know of a configuration directive for dealing =
with this?
>
>
>     *Doug Tucker*
>
>     Sr. Network Administrator
>
>     *o: *817.975.5832 <tel:(817)%20975-5832>*=C2=A0 | =C2=A0*m: 817.975=
=2E5832 <tel:(817)%20975-5832>=C2=A0
>
>     *e:*=C2=A0doug.tucker@newscycle.com <mailto:doug.tucker@newscycle.c=
om>
>
>     *=C2=A0*
>
>     Newscycle Solutions <http://www.newscycle.com/>
>
>     *Breakthrough technologies for media*
>
>     *=C2=A0*
>
>     *Twitter <http://www.twitter.com/newscycle_news>**=C2=A0 | =C2=A0Fa=
cebook <https://www.facebook.com/NEWSCYCLESolutions>=C2=A0=C2=A0| =C2=A0L=
inkedin <https://www.linkedin.com/company/newscycle-solutions>***
>
>     *=C2=A0*
>
>     CONFIDENTIALITY NOTICE: The contents of this email message and any =
attachments are intended solely for the addressee(s) and may contain conf=
idential and/or privileged information and may be legally protected from =
disclosure. If you are not the intended recipient of this message or thei=
r agent, or if this message has been addressed to you in error, please im=
mediately alert the sender by reply email and then delete this message an=
d any attachments. If you are not the intended recipient, you are hereby =
notified that any use, dissemination, copying, or storage of this message=
 or its attachments is strictly prohibited.
>
>


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic