Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
2
Replies

RV340 - Site to Site IPsec tunnel with Strongswan

MGilly
Level 1
Level 1

‎09-14-2020 03:05 AM

Hi, I have a site to site tunnel setup to a Strongswan system, the IKEv2 authentication occurs and the tunnels is established. The local group on the RV340 side is set to 0.0.0.0/0 yet after the tunnel is established no traffic appears to be send through the tunnel.

 

The desired behavior is where all traffic send through the default gateway (no need for a split tunnel). When tracing the route, the traffic is send out to the default gateway, and follow the ’normal’ router to the internet. Where we would like the traffic to go to the end point of the tunnel and then enter the internet.

 

It appears that the router is not encapsulating, and outer ip header doesn’t seem to be pointing to the remote gateway. Let me know if there are any extra steps we need to take to enable the tunnel (route changes?).

Thanks

1 person had this problem
Labels:
Preview file
43 KB
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎09-14-2020 04:14 AM

 

 - Check if this document can help you :

          https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

nagrajk1969
Spotlight
Spotlight

‎05-14-2021 02:27 AM

Hi

 

Can you show the schematic of your deployment setup?....is it connected like below?

 

local-subnet/192.168.1.0[RV340]wan1-------{Internet}-----184.x.x.x[Strongswan-Peer]----(???remote-subnet/192.168.2.0?)

 

We know that the s2s tunnel is established between RV340 and the remote-Strongswan-Peer 

- for assumption, iam mentioning a remote-subnet behind the strongswan-peer - 192.168.2.0/24

With the policy applied...(with local-group:ANY on the RV340 side)...

 

1. do you want the remote-subnet/192.168.2.x hosts to connect to the internet via the ipsec tunnel upto RV340 and then get routed to Internet using RV340/wan1 link (to internet)...which wont happen becos from the schematic you have given the remote-group as 184.x.x.x/29....and i see that the wan-ipaddress of the Strongswan-Peer is also 184.x.x.x

 

2. Or with the present policy applied...and assuming that there is NO remote-subnet-behind Strongswan-Peer, do you want the Strongswan-Peer generated traffic to internet to be routed via the IPsec tunnel upto RV340 AND then further routed out of wan1/rv340 to Internet and back-again the same path????

- if this is so...the Strongswan-Peer is already connected to Internet...why would you want its internet traffic to be Re-routed onto the IPsec tunnel and send via RV340 wan1 interface to Internet....?????

 

Your policy applied is confusing and not really correct, if i may say so...

 

 

 

where 

 

 

0 Helpful
Customers Also Viewed These Support Documents