<div dir="ltr"><div><div><div><div><div>hi Noel<br>iptables -t nat -I POSTROUTING -s <a href="http://192.168.89.0/24">192.168.89.0/24</a> -d <a href="http://192.168.87.0/24">192.168.87.0/24</a> -j ACCEPT<br></div>ip route add -net <a href="http://192.168.87.0/24">192.168.87.0/24</a> gw 192.168.89.1 <br><br></div>and add type=passthrough <br></div>I can ping 192.168.87.1<br>Routed Connections:<br>    runabove{1}:  ROUTED, TUNNEL<br>    runabove{1}:   <a href="http://192.168.89.0/24">192.168.89.0/24</a> === <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>Security Associations (1 up, 0 connecting):<br>    runabove[1]: ESTABLISHED 32 minutes ago, 192.168.88.101[ezhang]...serverip [eang]<br>    runabove{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c8508cd1_i c9042c77_o<br>    runabove{1}:   <a href="http://192.168.89.0/24">192.168.89.0/24</a> === <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br></div>and I managed to add 8.8.8.8 into that tunnel , it works too.<br><br></div>then I have another question, how to add all foreign ip blocks into that tunnel? like via ipset<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 18, 2014 at 11:44 AM, Eric Zhang <span dir="ltr"><<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Hi Noel</div><div>I just add </div><div><span style="background-color:rgba(255,255,255,0);color:rgba(0,0,0,0.701961)">iptables -t nat -I POSTROUTING -s <a href="http://192.168.89.0/24" target="_blank">192.168.89.0/24</a> -d <a href="http://192.168.87.0/24" target="_blank">192.168.87.0/24</a> -j ACCEPT</span></div><div><font color="rgba(0, 0, 0, 0.7019607843137254)"><span>Then I can ping 192.168.87.1 from openwrt.</span></font></div><div><font color="#a00031"><span>After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can not ping 87.1from openwrt.</span></font></div><div><font color="#a00031"><span><br></span></font></div><div><font color="#a00031"><span>So how can I allow all traffic to foreign ip range into IPSec tunnel?</span></font></div><div><br>Sent from Mobile<div><br></div></div><div><div class="h5"><div><br>On 2014年12月18日, at 03:31, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>> wrote:<br><br></div><blockquote type="cite"><div><span></span><br><span>-----BEGIN PGP SIGNED MESSAGE-----</span><br><span>Hash: SHA256</span><br><span></span><br><span>Hello Eric,</span><br><span></span><br><span>You can use passthrough policies for your local networks and  a ts of localnet == <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> for that.</span><br><span>You will need to use some custom firewall rule to except IPsec traffic from NAT. Look through the list archive</span><br><span>for some emails from me about that topic.</span><br><span></span><br><span>Mit freundlichen Grüßen/Regards,</span><br><span>Noel Kuntze</span><br><span></span><br><span>GPG Key ID: 0x63EC6658</span><br><span>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</span><br><span></span><br><span>Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:</span><br><blockquote type="cite"><span>Hi all</span><br></blockquote><blockquote type="cite"><span>here is my setup</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel is up between those 2.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Now  I want to route all traffic except domestic to that tunnel. How can I make that work?</span><br></blockquote><blockquote type="cite"><span>--</span><br></blockquote><blockquote type="cite"><span>Life is harsh</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>Users mailing list</span><br></blockquote><blockquote type="cite"><span><a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a></span><br></blockquote><blockquote type="cite"><span><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></span><br></blockquote><span></span><br><span>-----BEGIN PGP SIGNATURE-----</span><br><span>Version: GnuPG v2</span><br><span></span><br><span>iQIcBAEBCAAGBQJUkdn/AAoJEDg5KY9j7GZYWF0QAIFdtVrO9W9BAT5I3tMyaLef</span><br><span>P/RiXH4XMVI+8bWOc3ti8lm6m4QNeConni5NRF9AAE5vpeQoOSfxiCYaTcHomv7f</span><br><span>fji0ORb0n07TRL34G4hhmg10e16Rl1rowujhNo/LUg/euogwRB19DZs9+FbUndIN</span><br><span>UIUHY9wWA7eaBpmyYAJS69nejB7ZcaaK2yD6kt5gRxJgf0alQtaCGybiDhhmEfDp</span><br><span>rbj2p0riA9Kgo6j8DzI0WWlf1l7gq2C+pasV1XLDYh/VGp0PFRbwfNUMdYVvbgDn</span><br><span>U/vXZ/W8C9ddrqcI1i7ZsVqk+/qgX3xTMyhfbfwYlMEHx2H3LrL916zqf0H1xDnj</span><br><span>0/hwGETXCHfIWR78GF+6/AX+iUk+jn1PHapVgLNM8SAYlBmf0xxYVss8y9hAlimn</span><br><span>n9ReRari2+PEMFQisZ6+Vdt+IkE7r43XgDOhVb2e987i52ocAdSITAPWKDCTvj47</span><br><span>41fw4fUXzuFTeUciEvfQrjhm3OdskxysyEf+UwKAnVi4pZncTT3+n5cp955IR/nv</span><br><span>3/maizD0EHtlKr7iylvdcp/Z2kKc/okqks5QpyBDuUVd+2FotPVUjYKg0PAgT0oJ</span><br><span>BoJphf35usL/rZVT8Vs3eQtQ+xS3x5zmieFuK1flex5ppFj5pkrcytH4a8bnAMl7</span><br><span>dw6HG55NEhMpUGq5n7GU</span><br><span>=OmKw</span><br><span>-----END PGP SIGNATURE-----</span><br><span></span><br><span></span><br><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a></span><br><span><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></span></div></blockquote></div></div></div></blockquote></div><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Life is harsh<div></div><div></div></div></div>
</div>