<div dir="ltr">Accually solved this. I am fairly certain I was unclear about one requirement I had. I wanted all of the default non local destination traffic to flow through the primary router. The main reason is the primary router has an IDS and traffic tracking. This is primarly due to business policies.<div><br></div><div>First issue was local traffic. The main problem there was the primary router needed to have a static route setup so it knows where to send the traffic for the VPN IPs.</div><div><br></div><div>Next was outbound traffic not destined for the local network. I could add the NAT rules in the firewall on the VPN server but that would route the traffic out it's external interface which is not the desired route in this case.</div><div><br></div><div>I had to add a conditional route for the VPN:</div><div>ip rule add from <a href="http://192.168.18.0/24">192.168.18.0/24</a> lookup VPN</div><div>ip route add default via 192.168.0.1 dev enp2s0 table VPN</div><div><br></div><div>This does work and gives the desired traffic routing. This is a bit more of a round about way of doing it but we have security reasons for doing so.</div><div><br></div><div>Thank you all for the responses.</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 24, 2018 at 3:13 AM, Christian Salway <span dir="ltr"><<a href="mailto:christian.salway@naimuri.com" target="_blank">christian.salway@naimuri.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Robert,<div><br></div><div>Make sure you have ip_forward turned on</div><div><pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt"><span style="background-color:#e7ffb3">net.ipv4.ip_forward = 1<br></span></pre><div><br></div><div>and masquarade the IP address</div></div><div><pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt"><span style="background-color:#e7ffb3">/sbin/iptables -t nat -D POSTROUTING -o </span><span style="font-size:9pt">enp3s0</span><span style="background-color:rgb(231,255,179);font-size:9pt"> -j MASQUERADE</span></pre><div>then you need to make sure that anything that goes down the internal interface, comes back that way..</div></div><div><br></div><div><br></div><div>See if you can make sense of the following which is my config. eth0 is public facing, eth1 is internal facing</div><div><br></div><div><pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt"><pre style="font-family:Menlo;font-size:9pt">cat <span style="color:#5a5a5a;font-style:italic"><<</span><span style="color:#000080;font-weight:bold">EOF </span><span style="color:#5a5a5a;font-style:italic">>> /etc/network/interfaces.d/50-<wbr>cloud-init.cfg<br></span><span style="background-color:#e7ffb3">auto eth0<br></span><span style="background-color:#e7ffb3">iface eth0 inet dhcp<br></span><span style="background-color:#e7ffb3"> <br></span><span style="background-color:#e7ffb3">auto eth1<br></span><span style="background-color:#e7ffb3">iface eth1 inet dhcp<br></span><span style="background-color:#e7ffb3"> metric 100<br></span><span style="color:#000080;font-weight:bold">EOF<br></span>ifup eth1</pre></pre><pre style="background-color:rgb(255,255,255);font-family:Menlo;font-size:9pt"><br>SN1=<span style="color:#008000;font-weight:bold">"$(ip r | awk '/eth1/ { print $1 }' | tail -n 1)" </span><span style="color:#808080;font-style:italic"># internal subnet<br></span>IP1=<span style="color:#008000;font-weight:bold">"$(ip r | awk '/eth1/ { print $NF }' | tail -n 1)" </span><span style="color:#808080;font-style:italic"># internal ip<br></span>GW1=<span style="color:#008000;font-weight:bold">"$(echo ${SN1} | cut -d'/' -f1 | cut -d'.' -f1-3).1" </span><span style="color:#808080;font-style:italic"># internal gateway<br></span><span style="color:#808080;font-style:italic"><br></span><span style="color:#0b0c95">echo </span><span style="color:#0000ff">200 </span>eth1 <span style="color:#5a5a5a;font-style:italic">>> /etc/iproute2/rt_tables<br></span><span style="color:#5a5a5a;font-style:italic"><br></span>cat <span style="color:#5a5a5a;font-style:italic"><<</span><span style="color:#000080;font-weight:bold">EOF </span><span style="color:#5a5a5a;font-style:italic">>> /etc/network/interfaces.d/50-<wbr>cloud-init.cfg<br></span><span style="background-color:#e7ffb3"> post-up /sbin/ip rule add from </span><span style="color:#000080;font-weight:bold">$</span>{IP1}<span style="background-color:#e7ffb3"> table eth1<br></span><span style="background-color:#e7ffb3"> pre-down /sbin/ip rule delete from </span><span style="color:#000080;font-weight:bold">$</span>{IP1}<span style="background-color:#e7ffb3"> table eth1<br></span><span style="background-color:#e7ffb3"> post-up /sbin/ip route add default via </span><span style="color:#000080;font-weight:bold">$</span>{GW1}<span style="background-color:#e7ffb3"> table eth1<br></span><span style="background-color:#e7ffb3"> pre-down /sbin/ip route delete default via </span><span style="color:#000080;font-weight:bold">$</span>{GW1}<span style="background-color:#e7ffb3"> table eth1<br></span><span style="background-color:#e7ffb3"> post-up /sbin/ip route add </span><span style="color:#000080;font-weight:bold">$</span>{REMOTECIDR}<span style="background-color:#e7ffb3"> via </span><span style="color:#000080;font-weight:bold">$</span>{GW1}<span style="background-color:#e7ffb3"><br></span><span style="background-color:#e7ffb3"> pre-down /sbin/ip route delete </span><span style="color:#000080;font-weight:bold">$</span>{REMOTECIDR}<span style="background-color:#e7ffb3"> via </span><span style="color:#000080;font-weight:bold">$</span>{GW1}<span style="background-color:#e7ffb3"><br></span><span style="background-color:#e7ffb3"> post-up /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE<br></span><span style="background-color:#e7ffb3"> pre-down /sbin/iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE<br></span><span style="color:#000080;font-weight:bold">EOF<br></span>ifdown eth1; ifup eth1<br><br>cat <span style="color:#5a5a5a;font-style:italic"><<</span><span style="color:#000080;font-weight:bold">EOF </span><span style="color:#5a5a5a;font-style:italic">> /etc/sysctl.d/60-strongswan.<wbr>conf<br></span><span style="background-color:#e7ffb3">net.ipv4.ip_forward = 1<br></span><span style="color:#000080;font-weight:bold">EOF<br></span>sysctl -p /etc/sysctl.d/60-strongswan.<wbr>conf<br></pre><div><br></div></div><div><br></div><div><br></div><div><br></div><div><br><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;word-wrap:break-word;line-break:after-white-space"><div dir="auto" style="word-wrap:break-word;line-break:after-white-space"><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Kind regards,<br><br><b style="color:rgb(0,0,0)">Christian Salway</b><br>IT Consultant - <b><font color="#f05a28">Naimuri</font></b><br><br><font color="#919191">T: +44 7463 331432<br>E: <a href="mailto:christian.salway@naimuri.com" target="_blank">christian.salway@naimuri.com</a><br>A: Naimuri Ltd, Chandlers Point, Manchester M50 2UW</font></div></div></div></div></div></div></div>
</div><div><div class="h5">
<div><br><blockquote type="cite"><div>On 20 Aug 2018, at 22:23, Robert Green <<a href="mailto:robert.green@wegolook.com" target="_blank">robert.green@wegolook.com</a>> wrote:</div><br class="m_-4592303919022424002Apple-interchange-newline"><div><div dir="ltr">Hello All,<div><br></div><div>I may be doing something that isn't going to work easily. I am trying to setup strongswan on a separate system than is on my firewall/router. This separate system is also directly connected to the public internet. This is to support a road warrior setup.</div><div><br></div><div>I currently have the windows 10 client connecting via certificates. However when I connect the client I can not get traffic beyond the VPN box. I can ping the internal interface but I can not ping into the network or external clients.</div><div><br></div><div>I see the routes in the table 220 but they don't look right to me. I do have the firewall rules turned on the config and those look to be populating correctly.</div><div><br></div><div>/etc/ipsec.conf</div><div> config setup<div> # strictcrlpolicy=yes</div><div> # uniqueids = no</div><div> charondebug="cfg 2, dmn 2, ike 2, net 2"</div><div><br></div><div><div>conn remote-users</div><div> fragmentation=yes</div><div> ike=aes256-sha1-modp1024,3des-<wbr>sha1-modp1024!<br></div><div> esp=aes256-sha1,3des-sha1!</div><div> left=%any</div><div> #leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> leftsubnet=<a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a></div><div> leftcert=server_cert.pem</div><div> leftfirewall=yes</div><div> right=%any</div><div> rightdns=1.1.1.1, 8.8.8.8</div><div> rightsourceip=192.168.18.2-192<wbr>.168.18.254</div><div> keyexchange=ikev2</div><div> #auto=add</div><div> auto=route</div></div><div><br></div><div>ip route show table 220</div><div><br></div><div>192.168.18.2 via 12.12.12.1 dev enp0s25 proto static src 192.168.1.198<br></div><div><br></div><div>My interfaces are:</div><div>enp0s25 -> 12.12.12.1 (public interface)</div><div>enp3s0 -> 192.168.1.198 (internal interface)</div><div><br></div><div>Primary gateway 192.168.0.1 (netmask /23)</div><div><br></div><div>This all has been sanitized. I have been beating my head against the wall on this one. I know this is a routing issue but not sure how to properly fix it.</div><div><br></div><div>Thank you,</div>-- <br><div class="m_-4592303919022424002m_6660074428583724181gmail-m_3376518069608788131gmail_signature"><div dir="ltr">Robert Green<div><br></div></div></div>
</div></div>
</div></blockquote></div><br></div></div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Robert Green<div><br></div></div></div>
</div></div>