<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Noel</div><div>I just add </div><div><span style="background-color: rgba(255, 255, 255, 0); color: rgba(0, 0, 0, 0.701961); -webkit-composition-fill-color: rgba(130, 98, 83, 0.0980392);">iptables -t nat -I POSTROUTING -s 192.168.89.0/24 -d 192.168.87.0/24 -j ACCEPT</span></div><div><font color="rgba(0, 0, 0, 0.7019607843137254)"><span style="-webkit-composition-fill-color: rgba(130, 98, 83, 0.0980392);">Then I can ping 192.168.87.1 from openwrt.</span></font></div><div><font color="#a00031"><span style="-webkit-composition-fill-color: rgba(130, 98, 83, 0.0980392);">After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can not ping 87.1from openwrt.</span></font></div><div><font color="#a00031"><span style="-webkit-composition-fill-color: rgba(130, 98, 83, 0.0980392);"><br></span></font></div><div><font color="#a00031"><span style="-webkit-composition-fill-color: rgba(130, 98, 83, 0.0980392);">So how can I allow all traffic to foreign ip range into IPSec tunnel?</span></font></div><div><br>Sent from Mobile<div><br></div></div><div><br>On 2014年12月18日, at 03:31, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> wrote:<br><br></div><blockquote type="cite"><div><span></span><br><span>-----BEGIN PGP SIGNED MESSAGE-----</span><br><span>Hash: SHA256</span><br><span></span><br><span>Hello Eric,</span><br><span></span><br><span>You can use passthrough policies for your local networks and  a ts of localnet == 0.0.0.0/0 for that.</span><br><span>You will need to use some custom firewall rule to except IPsec traffic from NAT. Look through the list archive</span><br><span>for some emails from me about that topic.</span><br><span></span><br><span>Mit freundlichen Grüßen/Regards,</span><br><span>Noel Kuntze</span><br><span></span><br><span>GPG Key ID: 0x63EC6658</span><br><span>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</span><br><span></span><br><span>Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:</span><br><blockquote type="cite"><span>Hi all</span><br></blockquote><blockquote type="cite"><span>here is my setup</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel is up between those 2.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Now  I want to route all traffic except domestic to that tunnel. How can I make that work?</span><br></blockquote><blockquote type="cite"><span>--</span><br></blockquote><blockquote type="cite"><span>Life is harsh</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>Users mailing list</span><br></blockquote><blockquote type="cite"><span><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></span><br></blockquote><blockquote type="cite"><span><a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></span><br></blockquote><span></span><br><span>-----BEGIN PGP SIGNATURE-----</span><br><span>Version: GnuPG v2</span><br><span></span><br><span>iQIcBAEBCAAGBQJUkdn/AAoJEDg5KY9j7GZYWF0QAIFdtVrO9W9BAT5I3tMyaLef</span><br><span>P/RiXH4XMVI+8bWOc3ti8lm6m4QNeConni5NRF9AAE5vpeQoOSfxiCYaTcHomv7f</span><br><span>fji0ORb0n07TRL34G4hhmg10e16Rl1rowujhNo/LUg/euogwRB19DZs9+FbUndIN</span><br><span>UIUHY9wWA7eaBpmyYAJS69nejB7ZcaaK2yD6kt5gRxJgf0alQtaCGybiDhhmEfDp</span><br><span>rbj2p0riA9Kgo6j8DzI0WWlf1l7gq2C+pasV1XLDYh/VGp0PFRbwfNUMdYVvbgDn</span><br><span>U/vXZ/W8C9ddrqcI1i7ZsVqk+/qgX3xTMyhfbfwYlMEHx2H3LrL916zqf0H1xDnj</span><br><span>0/hwGETXCHfIWR78GF+6/AX+iUk+jn1PHapVgLNM8SAYlBmf0xxYVss8y9hAlimn</span><br><span>n9ReRari2+PEMFQisZ6+Vdt+IkE7r43XgDOhVb2e987i52ocAdSITAPWKDCTvj47</span><br><span>41fw4fUXzuFTeUciEvfQrjhm3OdskxysyEf+UwKAnVi4pZncTT3+n5cp955IR/nv</span><br><span>3/maizD0EHtlKr7iylvdcp/Z2kKc/okqks5QpyBDuUVd+2FotPVUjYKg0PAgT0oJ</span><br><span>BoJphf35usL/rZVT8Vs3eQtQ+xS3x5zmieFuK1flex5ppFj5pkrcytH4a8bnAMl7</span><br><span>dw6HG55NEhMpUGq5n7GU</span><br><span>=OmKw</span><br><span>-----END PGP SIGNATURE-----</span><br><span></span><br><span></span><br><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></span><br><span><a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></span></div></blockquote></body></html>