[strongSwan] Customizing routing
Tobias Brunner
tobias at strongswan.org
Tue Dec 15 11:00:11 CET 2015
Hi Jan,
> With kernel-netlink however I can achieve higher throughput with less
> CPU being used, but in that case SNAT seems to fail sometimes
> (connections are initiated correctly but "hang" after a while). Main
> difference is the lack of dedicated interface so routing customization
> is not required, but below SNAT rule seems to result in hanging
> connections:
>
> iptables -t nat -A POSTROUTING -o WAN -d A,B -j SNAT --to-source <virtual-ip>
This is about the same rule that's used in the updown script in [1]. It
might help if you tried to debug what happens in Netfilter via the TRACE
target (see e.g. [2]).
Regards,
Tobias
[1] https://www.strongswan.org/testing/testresults/ikev1/nat-virtual-ip/
[2] http://backreference.org/2010/06/11/iptables-debugging/
More information about the Users
mailing list