[strongSwan] Please help: Cannot route (statically) through the Strongswan tunnel

Martin Willi martin at strongswan.org
Fri Oct 4 12:04:46 CEST 2013


>          leftsubnet=82.73.43.12,192.168.1.0/24
>          rightsubnet=140.5.12.76,10.1.1.0/24

These subnets include the directly attached subnets, but not the other
ones (I assume you do no NAT on your internal routers?).

If you want to tunnel all the subnets, use something like:

   leftsubnet=192.168.1.0/24,10.2.1.0/24,10.3.1.0/24
   rightsubnet=10.1.0.0/24,192.168.23.0/24,192.168.24.0/24

This is IPsec, you can (and have to) explicitly control what goes in and
out of a tunnel.

Also, what's the reason to include the gateways external address in the
IPsec policy? This is usually not needed, unless the clients/gateways
use IPsec secured services reachable on the external gateway interface.

Regards
Martin





More information about the Users mailing list