<div dir="ltr">Hello,<div><br></div><div>In my environment it works this way (tailored for your IP ranges):</div><div><div>iptables -S -t nat</div><div>-P PREROUTING ACCEPT</div><div>-P INPUT ACCEPT</div><div>-P OUTPUT ACCEPT</div><div>-P POSTROUTING ACCEPT</div><div>-A POSTROUTING -s 10.0.0.0/24 -d 10.2.0.0 -j RETURN</div><div>-A POSTROUTING -s 10.0.0.0/24 ! -d 1.1.1.0/24 -o eth0 -j MASQUERADE</div><div><br></div><div>I do not want traffic from the client to get masqueraded within server's internal subnet.</div><div><br></div><div>Also please note that strongSwan also install additional routing table number 220.<br></div><div>ip route show table 220</div><div>However, I assume you don't have any problem with routing and you can ping from subnet 10.0.0.0/24 to subnet 10.2.0.0/24.<br></div><div><br></div><div>BR,</div><div>Miroslav</div><br>On Monday, April 27, 2015 at 6:26:45 PM UTC+2, ch+str...@henniger.info wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><div dir="ltr"><div>Hello,</div><div><br></div><div>Hoping someone can help me:</div><div><br></div><div>With the following LAN-LAN Setup </div><div>Server <a href="http://10.2.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;">10.2.0.0/24</a> - 1.1.1.1 --- 2.2.2.2 - <a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a> Client</div><div><br></div><div>I try to route the whole traffic from client through the server with masqueraded traffic to the public net.</div><div><br></div><div>tcpdump on server shows the traffic is routed but not masquerade. </div><div>(example from host (10.0.0.110) inside client net to public ip (<a href="http://www.heise.de" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.heise.de\46sa\75D\46sntz\0751\46usg\75AFQjCNHL1DSeh0D8BTg8QnOwN4HouCIS2A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.heise.de\46sa\75D\46sntz\0751\46usg\75AFQjCNHL1DSeh0D8BTg8QnOwN4HouCIS2A';return true;">www.heise.de</a>))</div><div><br></div><div>17:45:47.871219 IP 10.0.0.110 > <a href="http://www.heise.de" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.heise.de\46sa\75D\46sntz\0751\46usg\75AFQjCNHL1DSeh0D8BTg8QnOwN4HouCIS2A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwww.heise.de\46sa\75D\46sntz\0751\46usg\75AFQjCNHL1DSeh0D8BTg8QnOwN4HouCIS2A';return true;">www.heise.de</a>: ICMP echo request, id 20758, seq 6, length 64</div><div><br></div><div>Thank you in advance for any advice.</div><div><br></div><div>Chris</div><div><br></div><div><br></div><div>My Configuration:</div><div><br></div><div>Linux vpn 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-2 (2015-04-13) x86_64 GNU/Linux</div><div>StrongSwan 5.2.1-6</div><div><br></div><div># cat /etc/ipsec.conf</div><div>---</div><div>config setup</div><div><br></div><div>conn %default</div><div>        ikelifetime=60m</div><div>        keylife=20m</div><div>        rekeymargin=3m</div><div>        keyingtries=1</div><div>        authby=secret</div><div>        keyexchange=ike</div><div>        mobike=no</div><div><br></div><div>conn divinus</div><div>        left=1.1.1.1</div><div>        leftsubnet=<a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a></div><div>        right=%any</div><div>        rightsubnet=<a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a></div><div>        auto=add</div><div>---</div><div><br></div><div><br></div><div># ip xfrm policy </div><div>---                       </div><div>src <a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a> dst <a href="http://10.2.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;">10.2.0.0/24</a> </div><div>        dir fwd priority 2883 ptype main </div><div>        tmpl src 2.2.2.2 dst 1.1.1.1</div><div>                proto esp reqid 1 mode tunnel</div><div>src <a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a> dst <a href="http://10.2.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;">10.2.0.0/24</a> </div><div>        dir in priority 2883 ptype main </div><div>        tmpl src 2.2.2.2 dst 1.1.1.1</div><div>                proto esp reqid 1 mode tunnel</div><div>src <a href="http://10.2.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.2.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG9gge9_HisR_RqRidKanHnm-uniw';return true;">10.2.0.0/24</a> dst <a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a> </div><div>        dir out priority 2883 ptype main </div><div>        tmpl src 1.1.1.1 dst 2.2.2.2</div><div>                proto esp reqid 1 mode tunnel</div><div>src <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> </div><div>        socket in priority 0 ptype main </div><div>src <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> </div><div>        socket out priority 0 ptype main </div><div>src <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> </div><div>        socket in priority 0 ptype main </div><div>src <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F0.0.0.0%2F0\46sa\75D\46sntz\0751\46usg\75AFQjCNETOu60a3HCyMN138-VZlWuvaAA1A';return true;">0.0.0.0/0</a> </div><div>        socket out priority 0 ptype main </div><div>src ::/0 dst ::/0 </div><div>        socket in priority 0 ptype main </div><div>src ::/0 dst ::/0 </div><div>        socket out priority 0 ptype main </div><div>src ::/0 dst ::/0 </div><div>        socket in priority 0 ptype main </div><div>src ::/0 dst ::/0 </div><div>        socket out priority 0 ptype main</div><div><br></div><div><br></div><div><br></div><div># route</div><div>Kernel-IP-Routentabelle</div><div>Ziel            Router          Genmask         Flags Metric Ref    Use Iface</div><div>default         1.1.1.1         0.0.0.0         UG    0      0        0 eth0</div><div>10.2.0.0        *               255.255.255.0   U     0      0        0 eth0</div><div>1.1.1.0         1.1.1.1         255.255.255.0   UG    0      0        0 eth0</div><div>1.1.1.0         *               255.255.255.0   U     0      0        0 eth0</div><div><br></div><div><br></div><div><br></div><div># cat /proc/sys/net/ipv4/ip_forward</div><div>1</div><div><br></div><div><br></div><div><br></div><div># iptables -L -v</div><div>---</div><div>Chain INPUT (policy ACCEPT 9111 packets, 573K bytes)</div><div> pkts bytes target     prot opt in     out     source               destination         </div><div><br></div><div>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</div><div> pkts bytes target     prot opt in     out     source               destination         </div><div><br></div><div>Chain OUTPUT (policy ACCEPT 891 packets, 128K bytes)</div><div> pkts bytes target     prot opt in     out     source               destination</div><div>---</div><div><br></div><div><br></div><div># iptables -t nat -L -v</div><div>---</div><div>Chain PREROUTING (policy ACCEPT 3705 packets, 221K bytes)</div><div> pkts bytes target     prot opt in     out     source               destination         </div><div><br></div><div>Chain INPUT (policy ACCEPT 1596 packets, 89736 bytes)</div><div> pkts bytes target     prot opt in     out     source               destination         </div><div><br></div><div>Chain OUTPUT (policy ACCEPT 1700 packets, 120K bytes)</div><div> pkts bytes target     prot opt in     out     source               destination         </div><div><br></div><div>Chain POSTROUTING (policy ACCEPT 8 packets, 672 bytes)</div><div> pkts bytes target     prot opt in     out     source               destination         </div><div>    0     0 ACCEPT     all  --  any    eth0    anywhere            !<a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a>          policy match dir out pol ipsec</div><div>    0     0 LOG        all  --  any    eth0    anywhere            !<a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a>          policy match dir out pol ipsec LOG level warning</div><div> 1709  121K MASQUERADE  all  --  any    eth0    anywhere            !<a href="http://10.0.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNHq_6d9bAz80VQuCh7RQHP-W2OKlA';return true;">10.0.0.0/24</a></div><div>---</div></div>
</blockquote></div></div>