In our research project, we needed to deploy a server "Molly" at another company. They made us set up a IPSec tunnel to their firewall/gateway and from there, the comms are forwarded to our server. I configured StrongSwan on our gateway machine "Dolly" and this works pretty ok. Dolly has a public address, say 1.1.1.1, and a virtual address 10.10.1.1, needed for site2site tunnel attached to the same network card "eth0". On the other side, Molly has 10.10.2.1. While I'm logged on to Dolly, I can ping Molly at this address without any problem, despite the fact that the routing is not explicitly set up by StrongSwan (the subnet 10.10.2.1/24 does not appear in the routing table)
I would like to give our team access to Molly. Dolly (our gateway) is on a big network, so I though of creating a vpn run by Dolly where the team members can connect. I configured OpenVPN with 10.10.1.0/24 as the subnet address. OpenVPN sets 10.10.1.1 on its "tap0" device, I can connect to it, and I get 10.10.1.2 on my OpenVPN client's tap interface. I can ping 10.10.1.1.
So, I thought that I can simply (it wasn't!) bridge eth0 and tap0 on Dolly under br0, thus all messages traversing OpenVPN network would be made available for the StrongSwan tunnel. If anybody on the OpenVPN subnetwork sent packets to 10.10.2.1, they would show up on the bridge device on Dolly and, to the best of my understanding, would be pulled into the tunnel due to iptables settings of StrongSwan.
Yet, it doesn't happen... Pinging - and anything else - from any vpn member (e.g. 10.10.1.2) is not possible, it only works from Dolly (10.10.1.1). Restarting the tunnel with the bridge already in place goes smoothly but doesn't change the situation. I tried adding a routing rule on the client computer (10.10.1.2) saying to use 10.10.1.1 as a gateway to 10.10.2.0/24 but for some reason it rejects it ("Error: either "to" is duplicate, or "gw" is a garbage.").
I'm lost. Has anybody actually manage to achieve this sort of configuration?
Thanks in advance!
Szymon
