[strongSwan] Add routes? (Was: Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?)

Jerry Lundström jerry.lundstrom at iis.se
Mon Apr 28 15:03:33 CEST 2014


On mån, 2014-04-28 at 13:20 +0200, Martin Willi wrote:
> > So how can I manually add routes for subnets to the tunnel?
> 
> You can't. The negotiated policy does not allow such traffic, hence your
> peer won't accept non-matching traffic from the tunnel.
> 
> Of course you can do some NAT to map traffic to addresses that are part
> of the negotiated tunnel. See [1] for an example how this can be done
> with virtual IPs.

Could you give me some command line examples? I have been trying now and
I do not seem to be able to get the traffic into the tunnel.

Local IP: 192.168.1.67
Virtual IP: 169.254.254.18
Remote IP: 1.2.3.4
Other subnet I want to access: 4.3.2.0/24

I get a CHILD_SA conn established ... 169.254.254.19/32 === 1.2.3.4/32

I can see the policy and state and table 220 stuff, all looks good. If I
do ip xfrm montor and ping the remote IP I can see that it goes via the
tunnel.

At this point I've tried SNAT'ing any traffic to 4.3.2.0/24 to
169.254.254.19, adding routes both in table 220 and outside. No success.

Thanks for the help so far!

-- 
Jerry Lundström - Software Engineer
.SE - The Internet Infrastructure Foundation
http://www.iis.se/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 643 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140428/38993de9/attachment-0001.pgp>


More information about the Users mailing list