[strongSwan] Add routes? (Was: Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?)

Noel Kuntze noel at familie-kuntze.de
Mon Apr 28 15:07:33 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Jerry,

I use a command like this in my updown script to achieve exactly that.

iptables -I POSTROUTING 1 -t nat -s 192.168.178.0/24 -d 141.79.0.0/16 -j SNAT --to-source $PLUTO_MY_SOURCEIP -m policy --dir out --pol none 
I think that should work quite well.

Regards,

Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 28.04.2014 15:03, schrieb Jerry Lundström:
> On mån, 2014-04-28 at 13:20 +0200, Martin Willi wrote:
>>> So how can I manually add routes for subnets to the tunnel?
>>
>> You can't. The negotiated policy does not allow such traffic, hence your
>> peer won't accept non-matching traffic from the tunnel.
>>
>> Of course you can do some NAT to map traffic to addresses that are part
>> of the negotiated tunnel. See [1] for an example how this can be done
>> with virtual IPs.
> 
> Could you give me some command line examples? I have been trying now and
> I do not seem to be able to get the traffic into the tunnel.
> 
> Local IP: 192.168.1.67
> Virtual IP: 169.254.254.18
> Remote IP: 1.2.3.4
> Other subnet I want to access: 4.3.2.0/24
> 
> I get a CHILD_SA conn established ... 169.254.254.19/32 === 1.2.3.4/32
> 
> I can see the policy and state and table 220 stuff, all looks good. If I
> do ip xfrm montor and ping the remote IP I can see that it goes via the
> tunnel.
> 
> At this point I've tried SNAT'ing any traffic to 4.3.2.0/24 to
> 169.254.254.19, adding routes both in table 220 and outside. No success.
> 
> Thanks for the help so far!
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTXlKVAAoJEDg5KY9j7GZYSEEP/23qDO/FPgxdR+6/3p6uWbq4
AAFok7eSzufPhSrNyRYOJeBIe4IJ4MzDIBgPL7ux9PRZFfWo8l0ERkXSsZ8PTHys
wBGvGuiKx1pkLYUIkWGHV4G0gkgDpsBzdbQsxHNCVw0ge5/1itUcUasBfx3TSRwv
f8lk8tBpxMsbariGHQVQK8Ti0kfbRErBaCfS3639lnjJckSZPy0IRjGLux01o4lL
JKZHWx8xY/EHlqeilfltvMdnmv5ZzJEl2oV8J4TCJu0YvBm5q1sQ0TAUQm+0mp3T
sNfQc3YYaO6HeGQcRPeBqYfrvq18XTHX5IIqVT5d7Fs0mSDHx6MrMgHa0E1+vhlz
nKBEUoSrVi0TmJrbKAkPrPPOMx0/Vo3hj1lUjoSz8WXNR/ufutX3HfQYETypbNZS
xgyySAQ1HiIqWHUy2zoL6V2nHf8MBPx9PVsIXAEyISRJIaY4CubGgDnVjxMrBN/b
sTlupkaIP5wGXfEmbCG75zfXveGr4RLoeP/bH0y2rNTA6Fpwe9ovfIxz7xiW0ywF
UNm53ci9Bv9C7x2V8M9SxcBTDs158d838MtPQ1El6vdBqT0yjGf48RtBjcVSSYXs
SiblcO724lPwZo54XX3zex/bGXAgIjQx7n8r6Q8ZH5oz8ycF4OrEXtX8Wbd6bGWF
falq7D34s89/0KL5qfhn
=4vS0
-----END PGP SIGNATURE-----

More information about the Users mailing list