09-14-2020 03:05 AM
Hi, I have a site to site tunnel setup to a Strongswan system, the IKEv2 authentication occurs and the tunnels is established. The local group on the RV340 side is set to 0.0.0.0/0 yet after the tunnel is established no traffic appears to be send through the tunnel.
The desired behavior is where all traffic send through the default gateway (no need for a split tunnel). When tracing the route, the traffic is send out to the default gateway, and follow the ’normal’ router to the internet. Where we would like the traffic to go to the end point of the tunnel and then enter the internet.
It appears that the router is not encapsulating, and outer ip header doesn’t seem to be pointing to the remote gateway. Let me know if there are any extra steps we need to take to enable the tunnel (route changes?).
Thanks
09-14-2020 04:14 AM
- Check if this document can help you :
https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
M.
05-14-2021 02:27 AM
Hi
Can you show the schematic of your deployment setup?....is it connected like below?
local-subnet/192.168.1.0[RV340]wan1-------{Internet}-----184.x.x.x[Strongswan-Peer]----(???remote-subnet/192.168.2.0?)
We know that the s2s tunnel is established between RV340 and the remote-Strongswan-Peer
- for assumption, iam mentioning a remote-subnet behind the strongswan-peer - 192.168.2.0/24
With the policy applied...(with local-group:ANY on the RV340 side)...
1. do you want the remote-subnet/192.168.2.x hosts to connect to the internet via the ipsec tunnel upto RV340 and then get routed to Internet using RV340/wan1 link (to internet)...which wont happen becos from the schematic you have given the remote-group as 184.x.x.x/29....and i see that the wan-ipaddress of the Strongswan-Peer is also 184.x.x.x
2. Or with the present policy applied...and assuming that there is NO remote-subnet-behind Strongswan-Peer, do you want the Strongswan-Peer generated traffic to internet to be routed via the IPsec tunnel upto RV340 AND then further routed out of wan1/rv340 to Internet and back-again the same path????
- if this is so...the Strongswan-Peer is already connected to Internet...why would you want its internet traffic to be Re-routed onto the IPsec tunnel and send via RV340 wan1 interface to Internet....?????
Your policy applied is confusing and not really correct, if i may say so...
where
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide