Has anyone actually implemented a site to site IPSEC VPN using strongSwan on 22.03? A couple of us spent a day on this and were never able to get traffic to pass into the tunnel. We could exchange the PSK, bring up the tunnel but that is as far as things got. Destination traffic never hit the tunnel as confirmed with tcpdump. I suspect something broke during the transition to fw4/nft.
I've found a few references to how to remove the VPN subnets from masquerading but think we probably have a policy routing issue here.
Does anyone have a step by step we could follow that at least shows the differences from the bulk of the published docs that no longer apply with fw4?
@pavelgl thank you, I am aware and have implemented for the remote destination subnet. This can also now be done via luci BTW...however, it is not enough to get my traffic into the tunnel.
It sounds like you want a limited site to site where the whole Internet is not to be accessed over the VPN, only certain subnet(s) that exist on the other site. It ends up not being much more complicated than wireguard if you use the newer xfrm interface system.
Use an xfrm interface. In most documentation about Linux IPSec this is called the "route-based" option versus the original method of purely SA policy in the kernel, called "policy based"-- not to be confused with OpenWrt PBR. In route based, it is OK to set the SA peer subnets to 0.0.0.0/0 on both sides regardless of the subnets that will actually be routed. Place the xfrm interface in the lan firewall zone, or in a new zone which does not have masquerade enabled. In the regular routing tables on both sites, install a route to the other site via the xfrm interface.
I have this running on 22.03.2 but have not tried the .3 release.
For background, the local subnet on the left is 192.168.0.0/24, on the right is 172.31.1.0/24. Sometimes, the 172.31.1.0/24 subnet shows in in table 220, but right now it is not.
ip xfr state
returns nothing
ip xfr policy
src 108.x.x.x/32 dst 24.x.x.x/32
dir fwd priority 367232
tmpl src 108.x.x.x dst 24.x.x.x
proto esp reqid 1 mode tunnel
src 108.x.x.x/32 dst 24.x.x.x/32
dir in priority 367232
tmpl src 108.x.x.x dst 24.x.x.x
proto esp reqid 1 mode tunnel
src 24.x.x.x/32 dst 108.x.x.x/32
dir out priority 367232
tmpl src 24.x.x.x dst 108.x.x.x
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
ip route list table 220
108.x.x.x. via 24.x.x.x 1 dev eth1 proto static src 24.x.x.x