[SOLVED] Strongswan Site-to-Site VPN

I'm testing a site-to-site configuration from Openwrt to a commercial gateway (paloalto). I can estabilish the tunnel and communicate from the gateway side (rightsubnet) to Openwrt and the clients behind it (leftsubnet) but I cant communicate from Openwrt itself and its clients to the network behind the gateway. To communicate from rightsubnet to leftsubnet I had to add


config forwarding 'allow_right_to_left'
        option src 'wan'
        option dest 'lan'

When I try to communicate from leftsubnet to rightsubnet I see the following where eth2 is the interface connected to the modem, is the wan IP given by the modem and is a host at rightsubnet. The actual source of the package is

root@OPENWRT:~# tcpdump -i eth2 -n dst host
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
13:10:28.470120 IP > ICMP echo request, id 1, seq 8, length 40
13:10:33.483124 IP > ICMP echo request, id 1, seq 9, length 40

There is no traffic getting to the gateway of rightsubnet so I assume this package is not being tunneled. What can I look at to solve this? It's clear that the package is crossing the lan to wan bondary of openwrt but after that I'm not sure what behaviour I should see.

This is my ipsec statusall output regarding the left and righ sides:

    paloalto{3}: ===

I know it's related to the fact tha is outside but I'm not sure how to make an exception so that Openwrt does not change the source IP of packages destinated to I appreciate any help, I can't figure this out.

I tried to set option masq to '0' with no effect.

config zone 'wan'
        list network 'wan'
        option output 'ACCEPT'
        option masq '1'
        option name 'wan'
        option input 'REJECT'
        option forward 'REJECT'
        option mtu_fix '1'

Solved using

option masq_dest ![rightsubnet]

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.