[strongSwan] Routing Problem

Noel Kuntze noel at familie-kuntze.de
Wed Mar 22 16:05:50 CET 2017


On 22.03.2017 15:37, Thomas Creutz wrote:
> 
> Works:
>    ping from 192.168.0.254 -> 192.168.2.254
> Don't Work:
>   ping from 192.168.0.254 -> 192.168.2.102 (example - host firewall is open for icmp, and ping from local router to the host works)
> 
> The statusall command also don't show me, that the subnet is routed. And when I try to "route" it I get this:

There are several problems.
1) the default firewall layout and the LUCI management don't with policy based IPsec. You need to rework it manually and manage the rules manually.
2) The MASQUERADE or SNAT rules in the *nat tables SNAT all the traffic. You need to except IPsec protected traffic from the SNAT/MASQUERADE rules.[1]

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170322/18cd76e3/attachment.sig>


More information about the Users mailing list