IPSec strongswan не роутится трафик в туннель
Туннель поднимается, но трафик в него не уходит, прошу подтолкнуть в чем дело:
Моя сеть 1.1.1.1/32, внешний сервер на котором ipsec 55.55.55.55. Сервер через свой шлюз имеет связность с моей сетью.
Не понятно как дать маршрут, что б трафик начал ходить в тунель, он приходит на сервер и возвращается на свой шлюз по умолчанию.
Centos 7
ip ro
default via 55.55.55.1 dev eth1 proto static metric 100
55.55.55.1/25 dev eth1 proto kernel scope link src 55.55.55.55 metric 100
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc = 1
/etc/strongswan/ipsec.conf
config setup
charondebug="ike 4, knl 4, cfg 2" #useful debugs
conn tele2
authby=secret # # Auth with PSK ( preshared key )
left=55.55.55.55
leftsubnet=1.1.1.1/32
right=77.77.77.77
rightsubnet=2.2.2.2/32
auto=start
ikelifetime=86400s
lifetime=3600s
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes256-sha1-modp1024!
esp=aes256-sha1-modp1024!
charon.conf
charon {
load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown eap-identity
crypto_test { }
host_resolver { }
leak_detective { }
processor {
priority_threads {
}
}
start-scripts {}
stop-scripts {}
tls {}
509 {}
}
sudo strongswan statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.14, x86_64):
uptime: 47 minutes, since Sep 28 14:35:25 2017
malloc: sbrk 1609728, mmap 0, used 514096, free 1095632
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon acert attr constraints curl curve25519 dhcp dnskey eap-gtc eap-md5 eap-mschapv2 eap-peap eap-tls eap-ttls farp fips-prf gcrypt md4 nonce openssl pgp pkcs12 pkcs8 pubkey rc2 resolve sshkey unity vici xauth-eap xauth-generic xauth-noauth xauth-pam aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown eap-identity
Listening IP addresses:
55.55.55.55
Connections:
tele2: 55.55.55.55...77.77.77.77 IKEv1
tele2: local: [55.55.55.55] uses pre-shared key authentication
tele2: remote: [77.77.77.77] uses pre-shared key authentication
tele2: child: 1.1.1.1/32 === 2.2.2.2/32 TUNNEL
Security Associations (1 up, 0 connecting):
tele2[1]: ESTABLISHED 47 minutes ago, 55.55.55.55[55.55.55.55]...77.77.77.77[77.77.77.77]
tele2[1]: IKEv1 SPIs: 5682a023bef3ac6d_i* 6045e8c8a9beeeb8_r, pre-shared key reauthentication in 22 hours
tele2[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
tele2{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc6da7f7_i 72113648_o
tele2{2}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 3360 bytes_i (56 pkts, 3s ago), 3360 bytes_o (56 pkts, 3s ago), rekeying in 41 minutes
tele2{2}: 1.1.1.1/32 === 2.2.2.2/32
sudo ip xfrm policy
src 55.55.55.55/32 dst 2.2.2.2/32
dir out priority 367231 ptype main
tmpl src 55.55.55.55 dst 77.77.77.77
proto esp reqid 1 mode tunnel
src 2.2.2.2/32 dst 1.1.1.1/32
dir fwd priority 367231 ptype main
tmpl src 77.77.77.77 dst 55.55.55.55
proto esp reqid 1 mode tunnel
src 2.2.2.2/32 dst 1.1.1.1/32
dir in priority 367231 ptype main
tmpl src 77.77.77.77 dst 55.55.55.55
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
ip route show table 220
..