[strongSwan] Routing Polices with IPTABLES not working

Andreas Steffen andreas.steffen at strongswan.org
Fri Dec 7 10:14:53 CET 2012

Hi Adrian,

have you enabled IP forwarding on your VPN gateway?

  echo 1 > /proc/sys/net/ipv4/ip_forward

If yes, do you NAT packets from the private network behind the
gateway going towards the Internet?

If yes then you must exempt packets from the private network that
are intended to go through the IPsec tunnel from NAT with the
following iptables rule:

  iptables -t nat -I POSTROUTING 1 -s <private network> -o eth0 \
           -m policy --dir out --pol ipsec --proto esp -j ACCEPT



On 06.12.2012 19:37, Adrian Milanoski wrote:
> HI All,
> I have a strongSwan 5.0 setup and configure using IKEv2 PSK in config
> mode with the GW providing a pool of addresses. However after the
> strongSwan client connects I can only ping the Private interface of the
> I was wondering if anyone can assist me with what maybe going on and why
> packets are not routing out the private interface to the private
> networks default GW.
> Why is it so difficult to get these packets flowing from the tunnel to
> the private network? I thought the certain commands were to add rules in
> to the IPtables and remove them when the tunnel is torn down.
> Any help would be much appreciated.
> *Regards,***
> */ /*
> */Adrian Milanoski/*
> BBOS Lab Administrator
> VPN / WLAN IOT / Pre-Cert
> Research In Motion Limited
> 4715 Tahoe Blvd, Mississauga,
> ON, Canada, L4W 0B5
> Tel.(289) 261-5801|Fax (905) 629-7836
> Email amilanoski at rim.com <mailto:amilanoski at rim.com>**
> Description: www.rim.com <http://www.rim.com/>Description:
> cid:image001.png at 01CB37B8.EC492D80
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121207/44dd9b57/attachment.bin>

More information about the Users mailing list