[strongSwan] routing traffic to site to site ipsec tunnel

Eric Y. Zhang debiansid at gmail.com
Thu Dec 18 11:24:55 CET 2014


hi Noel
iptables -t nat -I POSTROUTING -s 192.168.89.0/24 -d 192.168.87.0/24 -j
ACCEPT
ip route add -net 192.168.87.0/24 gw 192.168.89.1

and add type=passthrough
I can ping 192.168.87.1
Routed Connections:
    runabove{1}:  ROUTED, TUNNEL
    runabove{1}:   192.168.89.0/24 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
    runabove[1]: ESTABLISHED 32 minutes ago,
192.168.88.101[ezhang]...serverip [eang]
    runabove{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c8508cd1_i c9042c77_o
    runabove{1}:   192.168.89.0/24 === 0.0.0.0/0

and I managed to add 8.8.8.8 into that tunnel , it works too.

then I have another question, how to add all foreign ip blocks into that
tunnel? like via ipset

On Thu, Dec 18, 2014 at 11:44 AM, Eric Zhang <debiansid at gmail.com> wrote:
>
> Hi Noel
> I just add
> iptables -t nat -I POSTROUTING -s 192.168.89.0/24 -d 192.168.87.0/24 -j
> ACCEPT
> Then I can ping 192.168.87.1 from openwrt.
> After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can not
> ping 87.1from openwrt.
>
> So how can I allow all traffic to foreign ip range into IPSec tunnel?
>
> Sent from Mobile
>
>
> On 2014年12月18日, at 03:31, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Eric,
>
> You can use passthrough policies for your local networks and  a ts of
> localnet == 0.0.0.0/0 for that.
> You will need to use some custom firewall rule to except IPsec traffic
> from NAT. Look through the list archive
> for some emails from me about that topic.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:
>
> Hi all
>
> here is my setup
>
>
> strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel is up
> between those 2.
>
>
> Now  I want to route all traffic except domestic to that tunnel. How can I
> make that work?
>
> --
>
> Life is harsh
>
>
>
> _______________________________________________
>
> Users mailing list
>
> Users at lists.strongswan.org
>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUkdn/AAoJEDg5KY9j7GZYWF0QAIFdtVrO9W9BAT5I3tMyaLef
> P/RiXH4XMVI+8bWOc3ti8lm6m4QNeConni5NRF9AAE5vpeQoOSfxiCYaTcHomv7f
> fji0ORb0n07TRL34G4hhmg10e16Rl1rowujhNo/LUg/euogwRB19DZs9+FbUndIN
> UIUHY9wWA7eaBpmyYAJS69nejB7ZcaaK2yD6kt5gRxJgf0alQtaCGybiDhhmEfDp
> rbj2p0riA9Kgo6j8DzI0WWlf1l7gq2C+pasV1XLDYh/VGp0PFRbwfNUMdYVvbgDn
> U/vXZ/W8C9ddrqcI1i7ZsVqk+/qgX3xTMyhfbfwYlMEHx2H3LrL916zqf0H1xDnj
> 0/hwGETXCHfIWR78GF+6/AX+iUk+jn1PHapVgLNM8SAYlBmf0xxYVss8y9hAlimn
> n9ReRari2+PEMFQisZ6+Vdt+IkE7r43XgDOhVb2e987i52ocAdSITAPWKDCTvj47
> 41fw4fUXzuFTeUciEvfQrjhm3OdskxysyEf+UwKAnVi4pZncTT3+n5cp955IR/nv
> 3/maizD0EHtlKr7iylvdcp/Z2kKc/okqks5QpyBDuUVd+2FotPVUjYKg0PAgT0oJ
> BoJphf35usL/rZVT8Vs3eQtQ+xS3x5zmieFuK1flex5ppFj5pkrcytH4a8bnAMl7
> dw6HG55NEhMpUGq5n7GU
> =OmKw
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>

-- 
Life is harsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141218/967ea2ac/attachment.html>


More information about the Users mailing list