[strongSwan] routing traffic to site to site ipsec tunnel

Eric Zhang debiansid at gmail.com
Thu Dec 18 04:44:24 CET 2014


Hi Noel
I just add 
iptables -t nat -I POSTROUTING -s 192.168.89.0/24 -d 192.168.87.0/24 -j ACCEPT
Then I can ping 192.168.87.1 from openwrt.
After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can not ping 87.1from openwrt.

So how can I allow all traffic to foreign ip range into IPSec tunnel?

Sent from Mobile


> On 2014年12月18日, at 03:31, Noel Kuntze <noel at familie-kuntze.de> wrote:
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Eric,
> 
> You can use passthrough policies for your local networks and  a ts of localnet == 0.0.0.0/0 for that.
> You will need to use some custom firewall rule to except IPsec traffic from NAT. Look through the list archive
> for some emails from me about that topic.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
>> Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:
>> Hi all
>> here is my setup
>> 
>> strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel is up between those 2.
>> 
>> Now  I want to route all traffic except domestic to that tunnel. How can I make that work?
>> --
>> Life is harsh
>> 
>> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJUkdn/AAoJEDg5KY9j7GZYWF0QAIFdtVrO9W9BAT5I3tMyaLef
> P/RiXH4XMVI+8bWOc3ti8lm6m4QNeConni5NRF9AAE5vpeQoOSfxiCYaTcHomv7f
> fji0ORb0n07TRL34G4hhmg10e16Rl1rowujhNo/LUg/euogwRB19DZs9+FbUndIN
> UIUHY9wWA7eaBpmyYAJS69nejB7ZcaaK2yD6kt5gRxJgf0alQtaCGybiDhhmEfDp
> rbj2p0riA9Kgo6j8DzI0WWlf1l7gq2C+pasV1XLDYh/VGp0PFRbwfNUMdYVvbgDn
> U/vXZ/W8C9ddrqcI1i7ZsVqk+/qgX3xTMyhfbfwYlMEHx2H3LrL916zqf0H1xDnj
> 0/hwGETXCHfIWR78GF+6/AX+iUk+jn1PHapVgLNM8SAYlBmf0xxYVss8y9hAlimn
> n9ReRari2+PEMFQisZ6+Vdt+IkE7r43XgDOhVb2e987i52ocAdSITAPWKDCTvj47
> 41fw4fUXzuFTeUciEvfQrjhm3OdskxysyEf+UwKAnVi4pZncTT3+n5cp955IR/nv
> 3/maizD0EHtlKr7iylvdcp/Z2kKc/okqks5QpyBDuUVd+2FotPVUjYKg0PAgT0oJ
> BoJphf35usL/rZVT8Vs3eQtQ+xS3x5zmieFuK1flex5ppFj5pkrcytH4a8bnAMl7
> dw6HG55NEhMpUGq5n7GU
> =OmKw
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141218/f61966fd/attachment.html>


More information about the Users mailing list