<div dir="ltr"><p dir="ltr">Hello all,<br>The gateway of my local site has a site-to-site VPN to my remote site. I want to forward all traffic (including internet traffic) from my local site to remote site.</p><p>The ipsec.conf in local gateway:</p><p>conn %default</p><p> left=%any</p><p> leftcert=<></p><p> leftid=<></p><p> leftauth=pubkey</p><p> keyexchange=ikev2</p><p>conn site-to-site</p><p> right=<remote_ip></p><p> rightid=<></p><p> rightauth=pubkey</p><p> leftsubnet=<a href="http://10.10.0.0/23">10.10.0.0/23</a></p><p> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></p><p> auto=add</p><p><br></p><p>After establishing the IPSec connection, the gateway can access to the internet through the tunnel, but at the same time the all hosts behind the gateway will lose connectivity to the gateway. </p><p>That makes sense, because the config rule 'rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a>' tells IPSec to forward all traffic into tunnel, including the traffic to LAN. I added a passthrough policy like this:</p><p>conn bypasslan</p><p><span class="" style="white-space:pre"> </span>leftsubnet=<a href="http://10.10.0.0/23">10.10.0.0/23</a></p><p> rightsubnet=<a href="http://10.10.0.0/23">10.10.0.0/23</a></p><p> type=passthrough<br></p><p><span class="" style="white-space:pre"> </span>auto=route</p><p>But this policy does not work. Hosts in lan still cannot ping gateway.</p><p>I decided to use traceroute to see what is going on. The result shows that the traffic to LAN goes to the WAN interface without IPSec protection. I checked the route table and every thing looks normal. I tried adding a route rule 'ip route add <a href="http://10.10.0.0/16">10.10.0.0/16</a> dev lan' but this didn't work.</p><p>I stop the IPSec tunnel, the connection between LAN hosts with the gateway comes back.</p><p>I will be very appreciate it if you can help me solve this problem.</p><p><br></p><p>Thanks & Regards,</p><p>Rayson</p>
</div>