[strongSwan] source-based routing

Martin Willi martin at strongswan.org
Tue Oct 14 10:32:42 CEST 2014


> I want to be able to route one specific IP (say 192.168.0.100) address
> on local LAN A so that its gateway is gateway of remote LAN B (say
> 192.168.10.1). LAN A and B are connected through a site-to-site VPN
> using strongswan:

If I understand correctly, you have an IPsec gateway on each network,
and connect these together using that site-site tunnel, but that
specific IP 192.168.0.100 is not directly doing IPsec?

What you need is to have the correct routes installed on your non-IPsec
hosts. 192.168.0.100 needs a default route over the IPsec gateway, so
that can forward your traffic. That it can do so, you'll need a tunnel
for that traffic: leftsubnet=192.168.0.100/32 and rightsubnet=0.0.0.0/0.

For the reverse path, you'll have to tell the default gateway on LAN B
where to route traffic to destination 192.168.0.100, which is the IPsec
gateway on your LAN B (it should know that if your IPsec gateway is your
default gateway).

As a general rule, you just have to make sure to negotiate the correct
traffic selectors for traffic that you want to forward by your IPsec
gateways. Everything else is more or less just plain IP routing.

Regards
Martin



More information about the Users mailing list