<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px">I have a strongswan server which have public IP address and also connected to intranet with Wifi</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"> roadwarrior ---internet--- A: eth0:101.231.59.88;wlo1: 192.168.1.1 ------wifi router---- B: 10.10.8.229 </div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px">A has a public IP in eth0, so roadwarrior can setup tunnel to it. I call this tunnel as bridge-vpn.</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px">And also A can setup a tunnel to B, I name it as pvpn.
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px">my goal is to let roadwarrior to be able to ping B via these two tunnels. although ipsec can be set up one by one. but couldn't make them work together. once A to B tunnel is up, the roadwarrior
to A tunnel seems not work anymore. Anything I missing?</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px">A's ipsec.conf :</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
config setup</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
# strictcrlpolicy=yes</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
# uniqueids=no</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
conn %default</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
keyexchange=ikev2</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
conn pvpn</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
left=%defaultroute</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftid=@ip88</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftcert=ip88cert.pem</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftsourceip=%config</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftfirewall=yes</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
right=10.10.8.229</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightid=@server</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightsubnet=0.0.0.0/0</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
auto=add</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
conn bridge-vpn</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftsubnet=0.0.0.0/0</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
keyexchange=ikev2</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
esp=aes256-sha256,3des-sha1,aes256-sha1</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rekey=no</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftauth=pubkey</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftcert=ip70cert.pem</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftsendcert=always</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightauth=eap-mschapv2</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightsendcert=never</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightsourceip=10.100.102.0/24</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightsubnet=10.100.102.0/24</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
eap_identity=%any</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
fragmentation=yes</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightdns=1.1.1.1</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
auto=route</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
conn local-net</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
leftsubnet=101.231.59.88/28,192.168.1.1/24</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
rightsubnet=101.231.59.88/28,192.168.1.1/24</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
authby=never</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
type=pass</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
auto=route</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
<br>
</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
Also enable nat in A to foward roadwarrior trafic to wifi interface:</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
sudo iptables -t nat -A POSTROUTING -o wlo1 -s 10.100.102.0/24 -j MASQUERADE</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
<br>
</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
Anything I missing? or there's other tricks I need to do?</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
My guess is that roadwarrior traffic will go to pvpn tunnel because of pvpn's rightsubnet=0.0.0.0/0, but the package coudn't feedback to bridge-vpn , But don't know how to fix it.</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
<br>
</div>
<div style="white-space:pre-wrap;text-align:left;line-height:1.75;font-size:14px">
<br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div style="white-space:pre-wrap;line-height:1.75;font-size:14px"><br>
</div>
<div>
<div id="Signature">
<div></div>
</div>
</div>
</body>
</html>