
<DIV>Hi,all</DIV>


<DIV>        The roadwarriors <B>alice</B> and <B>venus</B> sitting behind the NAT router <B>moon</B> set up tunnels to gateway <B>sun.</B></DIV>


<DIV> </DIV>


<DIV><IMG style="WIDTH: 630px; HEIGHT: 268px" src="cid:06EED9A6@AFE86D12.433B394F.png" naturalW="840" naturalH="358" modifysize="75%" diffpixels="16px"></DIV>


<DIV><STRONG>  </STRONG></DIV>


<DIV><STRONG>    </STRONG>The content of  ipsec.conf in the moon as :</DIV>


<DIV><PRE># /etc/ipsec.conf - strongSwan IPsec configuration file


config setup


        plutostart=no


conn %default


        ikelifetime=60m


        keylife=20m


        rekeymargin=3m


        keyingtries=1


        authby=secret


        keyexchange=ikev2


        mobike=no


conn net-net


        left=192.168.0.1


        leftid=@moon.strongswan.org


        leftfirewall=yes


        right=192.168.0.2


        rightsubnet=10.2.0.0/16


        rightid=@sun.strongswan.org


        auto=add</PRE></DIV>


<DIV>         And the content of ipsec.conf in the moon as :</DIV>


<DIV> </DIV>


<DIV><PRE># /etc/ipsec.conf - strongSwan IPsec configuration file


config setup


        plutostart=no


conn %default


        ikelifetime=60m


        keylife=20m


        rekeymargin=3m


        keyingtries=1


        authby=secret


        keyexchange=ikev2


        mobike=no


conn net-net


        left=192.168.0.2


        leftsubnet=10.2.0.0/16


        leftid=@sun.strongswan.org


        leftfirewall=yes


        right=192.168.0.1


        rightid=@moon.strongswan.org


        auto=add


</PRE><PRE>    Maybe you  has found that  there is<STRONG> not</STRONG> a line "leftsubnet=10.1.0.0/16" in the ipsec.conf of moon,and there is aslo  <STRONG>not</STRONG> a line "rightsubnet=10.1.0.0/16" in the ipsec.conf of sun.</PRE><PRE>    Now what I need is that :alice and moon can ping bob <STRONG>with the IPsec tunnel</STRONG>, ,and venus can ping winnettou <STRONG>without the IPsec tunnel</STRONG> <STRONG>,</STRONG>the serious situation is that<STRONG> I only can modify the ipsec.conf of moon ,</STRONG>and<STRONG>  ban modifying the ipsec.conf of sun</STRONG> .This hard question has troubled me for a month ,I have found  many references,but I still can not solve this hard question , is there any method can solve this hard question ?May I solve this question by the iptables or modify the ipsec.conf of moon only ?</PRE><PRE><SPAN style="WIDOWS: 2; TEXT-TRANSFORM: none; TEXT-INDENT: 0px; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; FONT: medium Simsun; WHITE-SPACE: normal; ORPHANS: 2; COLOR: rgb(0,0,0); WORD-SPACING: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px" class=Apple-style-span><SPAN style="BORDER-COLLAPSE: collapse; FONT-FAMILY: arial, sans-serif; COLOR: rgb(34,34,34); FONT-SIZE: 14px" class=Apple-style-span><SPAN class=Apple-converted-space> </SPAN>Regards<SPAN class=Apple-converted-space> ,</SPAN></SPAN></SPAN></PRE><PRE><SPAN style="WIDOWS: 2; TEXT-TRANSFORM: none; TEXT-INDENT: 0px; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; FONT: medium Simsun; WHITE-SPACE: normal; ORPHANS: 2; COLOR: rgb(0,0,0); WORD-SPACING: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px" class=Apple-style-span><SPAN style="BORDER-COLLAPSE: collapse; FONT-FAMILY: arial, sans-serif; COLOR: rgb(34,34,34); FONT-SIZE: 14px" class=Apple-style-span><SPAN class=Apple-converted-space>                                                                            Qixing Law                                                      </SPAN></SPAN></SPAN></PRE><PRE> </PRE></DIV>