<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Yeah I am running v5.0 and the leftnexthop has been removed…..
</span><span style="font-size:11.0pt;font-family:Wingdings">L</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I am looking into setting some static routing on my updown script that can be run each time or have a permanent route in place for all my virtual ip address as they arrive.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr style="height:1.25in">
<td width="210" valign="top" style="width:1.75in;padding:0in 0in 0in 0in;height:1.25in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr style="height:105.2pt">
<td width="230" style="width:137.8pt;padding:0in 0in 0in 0in;height:105.2pt">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="471" style="width:282.75pt">
<tbody>
<tr style="height:116.8pt">
<td width="255" style="width:153.0pt;padding:0in 0in 0in 0in;height:116.8pt">
<p class="MsoNormal" style="line-height:115%"><b><span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif"">Regards,</span></b><b><span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif""><o:p></o:p></span></b></p>
<p class="MsoNormal" style="line-height:115%"><b><i><span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif""><o:p> </o:p></span></i></b></p>
<p class="MsoNormal" style="line-height:115%"><b><i><span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif"">Adrian Milanoski</span></i></b><span style="font-size:8.0pt;line-height:115%;font-family:"Calibri","sans-serif""><br>
Lab Administrator<span style="color:black"><o:p></o:p></span></span></p>
<p class="MsoNormal" style="line-height:115%"><span style="font-size:8.0pt;line-height:115%;font-family:"Calibri","sans-serif"">BBOS WiFI VPN. Security Testing – R&D<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><span style="font-size:8.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#0070C0">Research In Motion Limited</span><span style="font-size:8.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:black">
<br>
</span><span style="font-size:8.0pt;line-height:115%;font-family:"Calibri","sans-serif"">Tel.(289) 261-5801 | Cel: (647) 289-261-5801<br>
Email <span style="color:black"> <a href="mailto:amilanoski@rim.com"><span style="line-height:115%;color:#9E540A">amilanoski@rim.com</span></a></span></span><b><span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif";color:#003049"><o:p></o:p></span></b></p>
</td>
<td width="216" style="width:129.75pt;padding:0in 0in 0in 0in;height:116.8pt">
<p class="MsoNormal" style="line-height:115%"><span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><span style="font-size:11.0pt;line-height:115%;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:115%"><a href="http://www.rim.com/"><span style="font-family:"Calibri","sans-serif";text-decoration:none"><img border="0" width="144" height="63" id="Picture_x0020_4" src="cid:image001.jpg@01CDD56C.C3E5E460" alt="Description: Description: www.rim.com"></span></a><span style="font-size:8.0pt;line-height:115%;font-family:"Verdana","sans-serif";color:navy"><img border="0" width="127" height="49" id="Picture_x0020_3" src="cid:image002.jpg@01CDD56C.C3E5E460" alt="Description: Description: cid:image001.png@01CB37B8.EC492D80"></span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
<td width="197" style="width:118.45pt;padding:0in 0in 0in 0in;height:105.2pt">
<p class="MsoNormal" style="line-height:115%"><span style="font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
<td width="167" valign="top" style="width:99.95pt;padding:0in 0in 0in 0in;height:1.25in">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> fred.demers@gmail.com [mailto:fred.demers@gmail.com]
<b>On Behalf Of </b>Frédéric Demers<br>
<b>Sent:</b> Saturday, December 08, 2012 5:41 PM<br>
<b>To:</b> Adrian Milanoski<br>
<b>Cc:</b> Andreas Steffen; Users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] Routing Polices with IPTABLES not working<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I was able to get this working in the hub and spoke configuration with both spokes exchanging through the tunnels, but I had to use the virtual IP feature and use the private addressing scheme between the spokes. This forced my traffic
through the tunnels, and they were forwarded through the hub. <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I also found that I needed to use the left/rightnexthop statement (maybe only needed in IKEv1) otherwise the hub could not reach the spokes, even though the spokes could reach each other through the hub and
the spokes could independently reach the the hub. This was rather odd because the hub should have known how to route to each spoke (and was doing so during packet forwarding), but not if I used a terminal window to reach either spokes. With the left/rightnexthop,
it worked (under limited testing).<o:p></o:p></p>
<div>
<p class="MsoNormal">On 8 December 2012 17:36, Adrian Milanoski <<a href="mailto:amilanoski@rim.com" target="_blank">amilanoski@rim.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Hi Andrew,<br>
<br>
IP forwarding is enabled<br>
<br>
cat /proc/sys/net/ipv4/ip_forward<br>
1<br>
<br>
The packets are not getting NAT'd after they arrive back to my GW.<br>
<br>
They are going back out my public as the originating IP that it was given from the virtual ip pool. E.g. 172.16.24.x<br>
<br>
I may also add that I have only 1 default GW on my GW and that is for the public. I do not have a GW set for my private network.<br>
<br>
I am trying to get it so that any packets that come from 172.16.24.x go back out to the private interface or to the default GW for that matter.<br>
<br>
<br>
Regards,<br>
<br>
Adrian Milanoski<br>
Lab Administrator<br>
BBOS WiFI VPN Dev. Security Testing<br>
Research In Motion Limited<br>
Tel.<a href="tel:%28289%29%20261-5801">(289) 261-5801</a> | Cell: <a href="tel:647-289-6995">
647-289-6995</a><br>
Email <a href="mailto:amilanoski@rim.com">amilanoski@rim.com</a><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<br>
<br>
-----Original Message-----<br>
From: Andreas Steffen [mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>]<br>
Sent: Friday, December 07, 2012 4:15 AM<br>
To: Adrian Milanoski<br>
Cc: <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
Subject: Re: [strongSwan] Routing Polices with IPTABLES not working<br>
<br>
Hi Adrian,<br>
<br>
have you enabled IP forwarding on your VPN gateway?<br>
<br>
echo 1 > /proc/sys/net/ipv4/ip_forward<br>
<br>
If yes, do you NAT packets from the private network behind the<br>
gateway going towards the Internet?<br>
<br>
If yes then you must exempt packets from the private network that<br>
are intended to go through the IPsec tunnel from NAT with the<br>
following iptables rule:<br>
<br>
iptables -t nat -I POSTROUTING 1 -s <private network> -o eth0 \<br>
-m policy --dir out --pol ipsec --proto esp -j ACCEPT<br>
<br>
Regards<br>
<br>
Andreas<br>
<br>
On 06.12.2012 19:37, Adrian Milanoski wrote:<br>
> HI All,<br>
><br>
> I have a strongSwan 5.0 setup and configure using IKEv2 PSK in config<br>
> mode with the GW providing a pool of addresses. However after the<br>
> strongSwan client connects I can only ping the Private interface of the<br>
> VPN GW.<br>
><br>
> I was wondering if anyone can assist me with what maybe going on and why<br>
> packets are not routing out the private interface to the private<br>
> networks default GW.<br>
><br>
> Why is it so difficult to get these packets flowing from the tunnel to<br>
> the private network? I thought the certain commands were to add rules in<br>
> to the IPtables and remove them when the tunnel is torn down.<br>
><br>
> Any help would be much appreciated.<br>
><br>
> *Regards,***<br>
><br>
> */ /*<br>
><br>
> */Adrian Milanoski/*<br>
> BBOS Lab Administrator<br>
><br>
> VPN / WLAN IOT / Pre-Cert<br>
><br>
> Research In Motion Limited<br>
> 4715 Tahoe Blvd, Mississauga,<br>
> ON, Canada, L4W 0B5<br>
> Tel.(289) 261-5801|Fax (905) 629-7836<br>
> Email <a href="mailto:amilanoski@rim.com">amilanoski@rim.com</a> <mailto:<a href="mailto:amilanoski@rim.com">amilanoski@rim.com</a>>**<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> Description: <a href="http://www.rim.com" target="_blank">www.rim.com</a> <<a href="http://www.rim.com/" target="_blank">http://www.rim.com/</a>>Description:<br>
> <a href="cid:image001.png@01CB37B8.EC492D80">cid:image001.png@01CB37B8.EC492D80</a><br>
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">
andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">---------------------------------------------------------------------<br>
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information
by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission
by unintended recipients is not authorized and may be unlawful.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
--------------------------------------------------------------------- <br>
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
</body>
</html>