[strongSwan] site 2 site does not work ...
andreas.steffen at strongswan.org
Wed Jun 6 17:37:06 CEST 2012
a normal net2net connection should do the trick:
Just make sure that in the 10.0.1.0/24 network there is
a route to the 184.108.40.206/22 net via the [default] gateway
10.0.1.1 and in the 220.127.116.11/22 network a route exists
which directs traffic for the 10.0.1.0/24 network to
If gateway 18.104.22.168 is NAT-ing traffic from the 10.10.1.0/24
network towards the Internet then you must exempt the traffic
to be tunneled from the NAT rule by inserting an IPsec
policy rule into your firewall:
iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \
--dir out --pol ipsec --proto esp -j ACCEPT
iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE
assuming the 22.214.171.124 is eth0.
On 06/06/2012 02:41 PM, Dr.Peer-Joachim Koch wrote:
> I'm trying to find out how build something like a
> side2side connection using strongswan.
> We have an external host with a private subnet (10.0.1.0/24).
> This subnet should be visible from the gw host and all
> hosts within the subnet of gw host.
> Here is an overview
> external host
> 10.0.1.0/24 - 10.01.1 126.96.36.199
> gw host
> 188.8.131.52/22 - 184.108.40.206
> So how can I make the external network accessaible
> from our network ?
> I did not find any example (or did not look at the right place ..).
> The host-host connection is working fine, but a ping into the external
> network does not reach the destination, but can be seen in the log of
> the external host. Therefore the routing (in both directions) seems to
> be the problem.
> Any help would be welcome!
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users