We have an ipsec tunnel local subnet: 10.2.226.0/24 remote subnet: 10.227.0.0/16
the local_subnet was the NATted subnet of others subnets.
When the tunnel is up, no traffic to 10.227.0.0/16 In the strongswan.log, we can view the firewall don't want to add the route:
2023-03-17 15:18:04Z 28[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) [ipsec0] skip route add since remote subnet is 10.227.0.0/16, src_ip 192.168.199.253 2023-03-17 15:18:04Z 28[APP] [COP-UPDOWN] (add_routes) no routes to add for TEST on interface ipsec0
and a route -n, we not seeing the route: XG135_XN03_SFOS 19.5.1 MR-1-Build278# route -n
0.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 Port810.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 LACP_SRV10.0.2.0 10.0.1.254 255.255.255.0 UG 20 0 0 LACP_SRV10.0.3.0 10.0.1.254 255.255.255.0 UG 20 0 0 LACP_SRV10.0.4.0 10.0.1.254 255.255.255.0 UG 20 0 0 LACP_SRV10.0.5.0 10.0.1.254 255.255.255.0 UG 20 0 0 LACP_SRV10.0.6.0 10.0.1.254 255.255.255.0 UG 20 0 0 LACP_SRV10.0.8.0 0.0.0.0 255.255.255.0 U 0 0 0 LACP_SRV.710.0.9.0 0.0.0.0 255.255.255.0 U 0 0 0 LACP_SRV.910.0.100.0 10.0.1.254 255.255.255.0 UG 20 0 0 LACP_SRV109.7.27.240 0.0.0.0 255.255.255.248 U 0 0 0 Port2172.16.1.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3172.16.2.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3172.16.4.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3172.16.7.0 0.0.0.0 255.255.255.0 U 0 0 0 Port3172.16.8.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3172.16.9.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3172.16.200.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3172.16.204.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3192.168.33.0 172.16.7.253 255.255.255.0 UG 20 0 0 Port3192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 Port7192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 Port4
If i use no natted subnet, it's working. Can you help us ?
I have found this
G135_XN03_SFOS 19.5.1 MR-1-Build278# ip route show table 22010.227.0.0/16 dev ipsec0 scope link src 10.2.226.254
The firewall not have an ip 10.2.226.254 ;(
Where can I delete this route ?
I have add system ipsec_route add net 10.227.0.0/255.255.255.0 tunnename test and it's working !