[strongSwan] routing traffic to site to site ipsec tunnel

Noel Kuntze noel at familie-kuntze.de
Thu Dec 18 13:33:05 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Eric,

What do you mean with that exactly? Make traffic to all networks, but the LAN, go through the tunnel?
For that, you need to except ipsec traffic from NAT.
You can use the 'polciy' module of iptables to match IPsec traffic.
E.g.: iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j MASQUERADE

That rule matches all traffic, that goes out of eth0 and does not have a matching IPsec policy and will MASQUERADE it.
Another rule you could use is "iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT"
That rule will simply accept all traffic with a matching policy, so it does not get masqueraded.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 18.12.2014 um 11:24 schrieb Eric Y. Zhang:
> hi Noel
> iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <http://192.168.89.0/24> -d 192.168.87.0/24 <http://192.168.87.0/24> -j ACCEPT
> ip route add -net 192.168.87.0/24 <http://192.168.87.0/24> gw 192.168.89.1
> 
> and add type=passthrough
> I can ping 192.168.87.1
> Routed Connections:
>     runabove{1}:  ROUTED, TUNNEL
>     runabove{1}:   192.168.89.0/24 <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0>
> Security Associations (1 up, 0 connecting):
>     runabove[1]: ESTABLISHED 32 minutes ago, 192.168.88.101[ezhang]...serverip [eang]
>     runabove{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c8508cd1_i c9042c77_o
>     runabove{1}:   192.168.89.0/24 <http://192.168.89.0/24> === 0.0.0.0/0 <http://0.0.0.0/0>
> 
> and I managed to add 8.8.8.8 into that tunnel , it works too.
> 
> then I have another question, how to add all foreign ip blocks into that tunnel? like via ipset
> 
> On Thu, Dec 18, 2014 at 11:44 AM, Eric Zhang <debiansid at gmail.com <mailto:debiansid at gmail.com>> wrote:
> 
>     Hi Noel
>     I just add 
>     iptables -t nat -I POSTROUTING -s 192.168.89.0/24 <http://192.168.89.0/24> -d 192.168.87.0/24 <http://192.168.87.0/24> -j ACCEPT
>     Then I can ping 192.168.87.1 from openwrt.
>     After I change rightsubnet=0.0.0.0 on both sides' IPSec.conf,I can not ping 87.1from openwrt.
> 
>     So how can I allow all traffic to foreign ip range into IPSec tunnel?
> 
>     Sent from Mobile
> 
> 
>     On 2014年12月18日, at 03:31, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
> 
>>
> Hello Eric,
> 
> You can use passthrough policies for your local networks and  a ts of localnet == 0.0.0.0/0 <http://0.0.0.0/0> for that.
> You will need to use some custom firewall rule to except IPsec traffic from NAT. Look through the list archive
> for some emails from me about that topic.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 17.12.2014 um 13:21 schrieb Eric Y. Zhang:
>>>>     Hi all
>>>>     here is my setup
>>>>
>>>>     strongswan(openwrt)<----->strongswan(linux VPS), the ipsec tunnel is up between those 2.
>>>>
>>>>     Now  I want to route all traffic except domestic to that tunnel. How can I make that work?
>>>>     --
>>>>     Life is harsh
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Users mailing list
>>>>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>     https://lists.strongswan.org/mailman/listinfo/users
> 
>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>     https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 
> -- 
> Life is harsh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUksl9AAoJEDg5KY9j7GZYwNUP/AhX6TjAJ/JULFoNjpUIqnQ9
sqLR7V8oY9UJfx/FfbJ5Af2bHrVM62KyzdKCK2Qz82pk/ngPt7/46CNaUWcIcEUk
GDyx0O51T06e7aGgkZ8jzWUeFlCacL3+Ls+BNo3DAf+KG3upT2rMz/sivG9KmPHZ
IQeLuDBI2KtOfc8T1ZwrzdtzHbLQ/1M93OSJhY0dyCpky24Q6jHvdvRziXP1/EVs
pNL2PEZ0QaWGl4kl1TuXiADlHGPyeRl1xdDf5kh7M92/+5XonGYbTqiM4F9OGZPB
7drc4orsBSz0Zmc40qkfogQSozNGtitInZX3Rh0vOtJ62ugNp9yvfS3EHJmsmdvU
fECDDgcYNVOx4u9wIgvaZWaawbB5JtkCBITEqUQXHxv6DDTJK8Mre9DdMq/+d1wJ
16uj+XqsqBXlg8dnr379j9gw3YhC7cak4cmc0RedlbMhzlH/SVwb2vvc40fiGwA8
dsdVoufmk1VrTra8eWPhPU/u7bw0d7ghe/UqECDqkOV201YLy//NcV6WUNevF/Px
gdxgPIeRvIK1MJrjJ289TSKN9c3jTqogcr7c0JF/rOQuOEjQ2YvPdajHn0XLJ4T0
MXAwz8w2KTizH1lTcmG1goCO+0ysH2amwgXoiF+xCGrYKojbl3rCX80L+7fhiMRI
pwhWvwtkUR8D+/++hahy
=OFCx
-----END PGP SIGNATURE-----


More information about the Users mailing list