[strongSwan] source-based routing

Martin Willi martin at strongswan.org
Tue Oct 14 10:32:42 CEST 2014

> I want to be able to route one specific IP (say address
> on local LAN A so that its gateway is gateway of remote LAN B (say
> LAN A and B are connected through a site-to-site VPN
> using strongswan:

If I understand correctly, you have an IPsec gateway on each network,
and connect these together using that site-site tunnel, but that
specific IP is not directly doing IPsec?

What you need is to have the correct routes installed on your non-IPsec
hosts. needs a default route over the IPsec gateway, so
that can forward your traffic. That it can do so, you'll need a tunnel
for that traffic: leftsubnet= and rightsubnet=

For the reverse path, you'll have to tell the default gateway on LAN B
where to route traffic to destination, which is the IPsec
gateway on your LAN B (it should know that if your IPsec gateway is your
default gateway).

As a general rule, you just have to make sure to negotiate the correct
traffic selectors for traffic that you want to forward by your IPsec
gateways. Everything else is more or less just plain IP routing.


More information about the Users mailing list