[strongSwan] Send all traffic over site-to-site tunnel?

[Mark M]

Hi Martin,

I finally got it working. I had to set the righsubnet=0.0.0.0/0 on my client and the leftsubnet=0.0.0.0/0 on my remote server. Now something strange is going on. The clients on the LAN can only send traffic across the tunnel and have it routed back if I add the LAN subnet route to the table 220 routing table. So if my LAN subnet is 192.168.56.0/24 I have to do a "ip route add 192.168.56.0/24 via 192.168.56.1 dev eth0 proto static src 192.168.56.1 table 220"

Is that normal behavior or a bug? Also how could I add this route automatically when i bring up the connection?

Thanks for the help.

Mark-



________________________________
 From: Martin Willi <martin at strongswan.org>
To: Mark M <mark076h at yahoo.com> 
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Monday, September 3, 2012 3:17 AM
Subject: Re: [strongSwan] Send all traffic over site-to-site tunnel?
 
Hi Mark,

> I would like all traffic to be routed over the remote subnet from one
> side of the VPN tunnel, more like a remote access client on one side.

To send traffic to all destinations through the tunnel, configure
left/rightsubnet options accordingly. A 0.0.0.0/0 subnet will cover all
destinations.

> Is there a parameter to put in the configuration that will do this or
> a way to add the route into the routing table?

Extending the route is not sufficient. This is IPsec, negotiated
policies are strictly enforced. Use left/rightsubnet to configure what
to tunnel.

Regards
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120904/f30f5793/attachment.html>