[strongSwan] Why doesn't table 220 change forwarded packets source IP address?

Andreas Steffen andreas.steffen at strongswan.org
Sun Nov 6 15:10:04 CET 2016

Hi Richard,

the table 220 source IP routing rule applies to packets originating
from the VPN gateway itself, only . If you want roadwarriors from a
subnet behind the GW to assume this address then you have to NAT them
to the GW's address. Since the table 220 rule usually maps the GW's
source address to the local interface on the subnet I don't see
the sense of the roadwarriors belonging to this subnet to assume
the gateway's internal address.



On 05.11.2016 18:01, Richard Chan wrote:
> Hi, in the roadwarrior configuration, from a conceptual point of view,
> why doesn't table 220 change the source IP address of forwarded packets
> (say the roadwarrior has a subnet behind it)?
> # ip ro sho table 220
> <> via dev eth0  proto static
>   src
> # ip rule show
> 0:      from all lookup local
> 220:    from all lookup 220
> 32766:  from all lookup main
> 32767:  from all lookup default
> roadwarrior has a separate subnet <>
> and is forwarding/NAT'ing packets.  When  I ping a host on the central
> site LAN
> - OUTPUT chain sees the source IP address as (table 220 is
> working!)
> -  FORWARD chain sees the source IP address as 192.168.2.X  (host cannot
> be reached until these packets are SNAT'ed to

> Richard Chan
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161106/bf1f3b9f/attachment.bin>

More information about the Users mailing list