[strongSwan] Routing Polices with IPTABLES not working

Martin Willi martin at strongswan.org
Fri Dec 7 10:07:04 CET 2012

Hi Adrian,

> Why is it so difficult to get these packets flowing from the tunnel to
> the private network? I thought the certain commands were to add rules
> in to the IPtables and remove them when the tunnel is torn down.

Unless you have a firewall with default DROP policies, you don't need
any iptables entries. If you have a restrictive firewall, I'd recommend
to open it for testing, and once it works, have a look at the
leftfirewall ipsec.conf option.

      * Do you have IP forwarding enabled on the VPN gateway?
      * Do you have a proper route on the gateway for the private
      * Do the hosts on the network have a proper route over the gateway
        to the virtual IPs you assign?

If this all looks OK, I'd try to analyze which packets get dropped (from
VPN clients to your private network, or from your private network to the
VPN clients?).


More information about the Users mailing list