[strongSwan] Tunnel the traffic of router itself

Zesen Qian strongswan-users at riaqn.com
Tue Jan 13 03:54:02 CET 2015


Hello Noel,
Thanks for reply.
Do you mean something like this?

left=22.22.22.22
leftsubnet=10.0.0.0/24, 22.22.22.22/32
right=33.33.33.33
rightsubnet=0.0.0.0/0

Will it also tunenl the traffic between 22.22.22.22 and 33.33.33.33? Is
that a deadloop? Since according to [1], any packet with
src=22.22.22.22 and dst=any will be tunneld, and there is no way to
"mark" a packet to make it escape from tunnel? Am I right?

[1] http://inai.de/images/nf-packet-flow.png

Noel Kuntze <noel at familie-kuntze.de> writes:

> Hello Zesen,
>
> You need to include your public IP in the traffic selector.
> Doing that might be tricky, if you have a dynamic IP.
> The routes have nothing to do at all with what packets get tunneled. It's a policy based VPN,
> not a route based one.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 12.01.2015 um 15:23 schrieb Zesen Qian:
>> Hello list,
>> I 'm configuring strongswan of 10.0.0.0/24 === 0.0.0.0/0, and do a
>> MASQUERADE on the other side.
>> By now clients in the LAN(10.0.0.80) can see its traffic being
>> tunnelled. Now my question is, is there any way to tunnel the traffic of
>> router itself? Yes, if I send a IP packet with src=10.0.0.1 then it will
>> be tunnelled, but consider a packet with src=22.22.22.22, which is the
>> public IP of my router, it won't be tunneled?
>> BTW, I noticed that StrongSwan will insert a route table with something
>> like:
>> # ip route list table 220
>> default dev is0  proto static  src 10.0.0.1
>> 10.0.0.0/24 dev enp0s29f7u2u4  proto static  src 10.0.0.1
>>
>> The src field seems to be related to my question, but I was told that it
>> 's only a 'hint' to local bind() call, and won't have effect on packet
>> already with a src field.
>>
>> Any comments is appreciated.
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
Zesen Qian (钱泽森)


More information about the Users mailing list