[strongSwan] Tunnel the traffic of router itself

Zesen Qian strongswan-users at riaqn.com
Tue Jan 13 03:54:02 CET 2015

Hello Noel,
Thanks for reply.
Do you mean something like this?


Will it also tunenl the traffic between and Is
that a deadloop? Since according to [1], any packet with
src= and dst=any will be tunneld, and there is no way to
"mark" a packet to make it escape from tunnel? Am I right?

[1] http://inai.de/images/nf-packet-flow.png

Noel Kuntze <noel at familie-kuntze.de> writes:

> Hello Zesen,
> You need to include your public IP in the traffic selector.
> Doing that might be tricky, if you have a dynamic IP.
> The routes have nothing to do at all with what packets get tunneled. It's a policy based VPN,
> not a route based one.
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 12.01.2015 um 15:23 schrieb Zesen Qian:
>> Hello list,
>> I 'm configuring strongswan of ===, and do a
>> MASQUERADE on the other side.
>> By now clients in the LAN( can see its traffic being
>> tunnelled. Now my question is, is there any way to tunnel the traffic of
>> router itself? Yes, if I send a IP packet with src= then it will
>> be tunnelled, but consider a packet with src=, which is the
>> public IP of my router, it won't be tunneled?
>> BTW, I noticed that StrongSwan will insert a route table with something
>> like:
>> # ip route list table 220
>> default dev is0  proto static  src
>> dev enp0s29f7u2u4  proto static  src
>> The src field seems to be related to my question, but I was told that it
>> 's only a 'hint' to local bind() call, and won't have effect on packet
>> already with a src field.
>> Any comments is appreciated.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Zesen Qian (钱泽森)

More information about the Users mailing list