Re: IPsec routing through tunnel

Valentyn Lytvynov · ‎03-09-2025

Have a tunnel ikev2 beetwen two ASA (dc2<->off1), to office ASA connected one more site via IPsec

(off1<->dc3), strongswan on debian. dc2 - 10.100.70.0/24, dc3 - 10.200.10.0/24, off1 - 10.101.11.0/24
Does dc3 able to get route to dc2 networks via off1, which haven't ipsec between direct dc2-dc3, without dynamic routing?

Thanks in advance!

AshSe · ‎03-09-2025

Hey @Valentyn Lytvynov

Yes, it is possible to achieve this setup, but it requires careful configuration of static routes and proper traffic forwarding on all devices involved. Since you are not using dynamic routing protocols, you will need to manually configure the routing and ensure that the IPsec policies and NAT rules are correctly set up on all devices.

Here is a breakdown of the scenario and what needs to be done:

Please check and confirm the below Scenario:

dc2 (10.100.70.0/24) is connected to off1 (10.101.11.0/24) via an IKEv2 IPsec tunnel.
off1 (10.101.11.0/24) is connected to dc3 (10.200.10.0/24) via an IPsec tunnel (using Strongswan on Debian).
There is no direct IPsec tunnel between dc2 and dc3.
You want traffic from dc3 to reach dc2 via off1.

We will deep dive into the solution once you confirm the above understanding of the provided scenario.

Awaiting your response

AshSe

Valentyn Lytvynov · ‎03-09-2025

Hi @AshSe

Yes, you absolutely right for it Scenario

AshSe · ‎03-09-2025

Thanks @Valentyn Lytvynov

Here are the Key Consideration and Solution:

Key Considerations:

Routing:
- Since there is no dynamic routing, you need to configure static routes on all devices to ensure traffic is forwarded correctly.
- dc3 must have a route to dc2 via off1.
- dc2 must have a route to dc3 via off1.
IPsec Policies:
- The IPsec policies on off1 must allow traffic to flow between dc2 and dc3.
- The IPsec tunnel between dc2 and off1 must include dc3's subnet (10.200.10.0/24) in the encryption domain.
- Similarly, the IPsec tunnel between off1 and dc3 must include dc2's subnet (10.100.70.0/24) in the encryption domain.
NAT Exemption:
- Ensure that NAT exemption is configured on all devices for the traffic between dc2and dc3 via off1.
Forwarding on off1:
- off1 must be configured to forward traffic between the two IPsec tunnels (dc2 <-> off1 and off1 <-> dc3). This is sometimes referred to as "IPsec hairpinning" or "IPsec traffic forwarding."
Solution Steps:

1. Configure Static Routes:
- On dc2 ASA:
  Add a static route for 10.200.10.0/24 (dc3) via the tunnel to off1.
  route inside 10.200.10.0 255.255.255.0 <off1-tunnel-interface>
- On dc3 (Strongswan):
  Add a static route for 10.100.70.0/24 (dc2) via the tunnel to off1.
  ip route add 10.100.70.0/24 via <off1-tunnel-interface>
- On off1 ASA:
  Ensure that traffic from 10.100.70.0/24 to 10.200.10.0/24 and vice versa is routed correctly. This is typically handled by the IPsec configuration, but you may need to verify the routing table.
2. Update IPsec Encryption Domains:
- On the dc2 <-> off1 tunnel:
  Include 10.200.10.0/24 (dc3) in the encryption domain.
  
  Example:
  
  10.100.70.0/24 <-> 10.101.11.0/24, 10.200.10.0/24
- On the off1 <-> dc3 tunnel:
  Include 10.100.70.0/24 (dc2) in the encryption domain.
  
  Example:
  
  10.101.11.0/24, 10.100.70.0/24 <-> 10.200.10.0/24
3. Configure NAT Exemption:
- On dc2 ASA:
  Exempt traffic destined for 10.200.10.0/24 from NAT.
- On off1 ASA:
  Exempt traffic between 10.100.70.0/24 and 10.200.10.0/24 from NAT.
- On dc3 (Strongswan):
  Ensure that traffic destined for 10.100.70.0/24 is not NATed.
4. Enable IPsec Traffic Forwarding on off1:
- On the off1 ASA, you need to allow traffic to flow between the two IPsec tunnels. This is done by enabling "same-security-traffic permit intra-interface":
```
same-security-traffic permit intra-interface
```
5. Test Connectivity:
- From a host in dc3 (10.200.10.0/24), try to ping a host in dc2 (10.100.70.0/24).
- Use packet capture on the ASAs and Strongswan to verify that traffic is being encrypted and forwarded correctly.
Hope This Helps!!!

AshSe

Community Etiquette:

Insert photos/images inline - don't attach.

Always mark helpful and correct answers, it helps others find what they need.

For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

Valentyn Lytvynov · ‎03-10-2025

@AshSe I'll try this guidance and will updates to you

Thanks! Very insightful

M02@rt37 · ‎03-10-2025

Hello @Valentyn Lytvynov

Could you please share a diagram referecing your topology ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Valentyn Lytvynov · ‎03-10-2025

Sure, changed in the topic

M02@rt37 · ‎03-10-2025

Thanks for the diagram @Valentyn Lytvynov

DC3 will not be able to reach DC2 through OFF1 without dynamic routing unless you manually configure static routes and enable proper traffic forwarding on the ASA and StrongSwan...

Since there is no direct IPsec tunnel between DC2 and DC3, the traffic must pass through OFF1.

Setting up DMVPN over IPsec is a better approach than traditional site-to-site VPNs in your case. It allows DC2 and DC3 to communicate without needing static IPsec tunnels between them, while OFF1 remains the control point for routing...

Off-1 as Hub and DC-2 and DC-3 as Spoke.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

IPsec routing through tunnel

Please check and confirm the below Scenario:

Key Considerations:

1. Configure Static Routes:

2. Update IPsec Encryption Domains:

3. Configure NAT Exemption:

4. Enable IPsec Traffic Forwarding on off1:

5. Test Connectivity: