[strongSwan] Why doesn't table 220 change forwarded packets source IP address?
Andreas Steffen
andreas.steffen at strongswan.org
Sun Nov 6 15:10:04 CET 2016
Hi Richard,
the table 220 source IP routing rule applies to packets originating
from the VPN gateway itself, only . If you want roadwarriors from a
subnet behind the GW to assume this address then you have to NAT them
to the GW's address. Since the table 220 rule usually maps the GW's
source address to the local interface on the subnet I don't see
the sense of the roadwarriors belonging to this subnet to assume
the gateway's internal address.
Regards
Andreas
On 05.11.2016 18:01, Richard Chan wrote:
> Hi, in the roadwarrior configuration, from a conceptual point of view,
> why doesn't table 220 change the source IP address of forwarded packets
> (say the roadwarrior has a subnet behind it)?
>
> # ip ro sho table 220
> 10.0.0.0/8 <http://10.0.0.0/8> via 192.168.1.1 dev eth0 proto static
> src 10.2.0.3
>
> # ip rule show
> 0: from all lookup local
> 220: from all lookup 220
> 32766: from all lookup main
> 32767: from all lookup default
>
> roadwarrior has a separate subnet 192.168.2.0/24 <http://192.168.2.0/24>
> and is forwarding/NAT'ing packets. When I ping a host on the central
> site LAN
>
> - OUTPUT chain sees the source IP address as 10.2.0.3 (table 220 is
> working!)
> - FORWARD chain sees the source IP address as 192.168.2.X (host cannot
> be reached until these packets are SNAT'ed to 10.2.0.3)
>
> Richard Chan
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161106/bf1f3b9f/attachment.bin>
More information about the Users
mailing list