[strongSwan] Source routing with StrongSwan

Noel Kuntze noel at familie-kuntze.de
Wed Dec 14 00:52:17 CET 2016

On 14.12.2016 00:04, Hoggins! wrote:
> I... guess I would know how to do it, but pardon me, I couldn't find
> what I need on the vast Internetz. I know how to mark packets and to
> route them accordingly, but I might be missing something here, because
> I'm still stuck at a point where iproute tells me that the remote
> network is unreachable.

That's because "via" is only usable when there's a broadcast domain. IPsec doesn't have one.
There aren't multiple next hops in an IPsec tunnel. There's only one. The remote peer.

> I know you're not here to provide a bunch of commands to help me get
> started, but maybe just a "recipe" ? Something like "first, mark your
> packets coming from blah and using bleh, then add a rule to handle
> these, then... etc."
set mark_out on the tunnel configuration, then mark the packets you want to put into the SA with that mark in iptables.

> The thing is that I looked at the archives of this list and I found a
> schema that you provided, showing the whole netfilter chains with IPSec
> in the middle... but even then, I'm not sure I can successfully use that
> information.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161214/72f4b6b3/attachment.sig>

More information about the Users mailing list