IP setup of Example Site-to-site VPN topology
back to parent article
h1
ip addr add 192.168.1.100/24 dev eth0 ip route add default via 192.168.1.1
h2
ip addr add 192.168.2.100/24 dev eth0 ip route add default via 192.168.2.1
r1
ip addr add 192.168.1.1/24 dev eth0 ip addr add 8.0.0.1/8 dev eth1 ip route add default via 8.0.0.2 sysctl net.ipv4.ip_forward=1
On successful IKE handshake, Strongswan adds an additional routing table
(no. 220) here and puts a source route in it which tells r1 to use the
IP address 192.168.1.1 of its eth0 interface when sending locally
generated packets to hosts in the VPN peer subnet 192.168.2.0/24.
ip route show table 220 192.168.2.0/24 via 8.0.0.2 dev eth1 proto static src 192.168.1.1
This behavior depends on the Strongswan configuration
setting charon.install_route, however the default value for this setting is yes. The
setting will usually be placed in file /etc/strongswan.d/charon.conf. See reference docu on strongswan.conf.
Strongswan automatically removes this route again when the VPN tunnel is terminated.
rx
ip addr add 8.0.0.2/8 dev eth0 ip addr add 9.0.0.2/8 dev eth1 sysctl net.ipv4.ip_forward=1
Intentionally, no routes to subnets 192.168.1.0/24 and 192.168.2.0/24
are set here because in this topology rx fulfills the role of a router in
the Internet and routers in the Internet do not have routes into private
subnets behind edge routers like r1 and r2.
r2
ip addr add 192.168.2.1/24 dev eth0 ip addr add 9.0.0.1/8 dev eth1 ip route add default via 9.0.0.2 sysctl net.ipv4.ip_forward=1
This route is added by Strongswan (already explained for r1):
ip route show table 220 192.168.1.0/24 via 9.0.0.2 dev eth1 proto static src 192.168.2.1