[strongSwan] Routing problems with IPsec but not L2TP/IPsec

Patrick Shyvers pshyvers at amitto.com
Thu Apr 17 07:20:44 CEST 2014

I'm trying to migrate from L2TP/IPsec to IPsec & IKE. L2TP/IPsec is working
with strongswan, and I can access both my private subnet & the public
internet through the VPN server. However, with IPsec & IKE I can only access
my private subnet. My client is usually behind NAT, but from the strongswan
documentation that should not be an issue.


When testing IPsec, I flush my firewall and set everything to ACCEPT. Then I
add the necessary POSTROUTING SNAT rule, which works fine with L2TP/IPsec.
So I am fairly confident it is not an iptables problem.


Establishing VPN connection is also not a problem, that goes over without a
hitch. So I am suspecting there is a routing problem, but the routing tables
are my biggest weakness on Linux, so I'm hoping I could get some thoughts
from the strongswan community. It might also have to do with routing that
happens inside strongswan- I'm still fuzzy on how much packet handling
strongswan does.


My interfaces are perhaps laid out unusually?


venet0 -

venet0:0 - <PUBLIC SERVER IP>

venet0:1 - <PRIVATE VLAN>



conn IKEv1-PSK-NAT


        left=<PUBLIC SERVER IP>










-A POSTROUTING -s -o venet0 -m policy --dir out --pol ipsec -j

-A POSTROUTING -s -o venet0 -j SNAT --to-source <PUBLIC SERVER


# ip route list

<VLAN SUBNET> dev venet0  proto kernel  scope link  src <VLAN IP>

<ANOTHER VLAN> dev venet0  scope link  metric 1002

default dev venet0  scope link

# ip route list table 220 via <CLIENT IP> dev venet0  proto static



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140416/fa6da75e/attachment.html>

More information about the Users mailing list