[strongSwan] Add routes? (Was: Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?)

Jerry Lundström jerry.lundstrom at iis.se
Mon Apr 28 15:03:33 CEST 2014

On mån, 2014-04-28 at 13:20 +0200, Martin Willi wrote:
> > So how can I manually add routes for subnets to the tunnel?
> You can't. The negotiated policy does not allow such traffic, hence your
> peer won't accept non-matching traffic from the tunnel.
> Of course you can do some NAT to map traffic to addresses that are part
> of the negotiated tunnel. See [1] for an example how this can be done
> with virtual IPs.

Could you give me some command line examples? I have been trying now and
I do not seem to be able to get the traffic into the tunnel.

Local IP:
Virtual IP:
Remote IP:
Other subnet I want to access:

I get a CHILD_SA conn established ... ===

I can see the policy and state and table 220 stuff, all looks good. If I
do ip xfrm montor and ping the remote IP I can see that it goes via the

At this point I've tried SNAT'ing any traffic to to, adding routes both in table 220 and outside. No success.

Thanks for the help so far!

Jerry Lundström - Software Engineer
.SE - The Internet Infrastructure Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 643 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140428/38993de9/attachment-0001.pgp>

More information about the Users mailing list