[strongSwan] Routing Problem

Thomas Creutz thomas.creutz at gmx.de
Wed Mar 22 19:45:17 CET 2017


Am 22.03.2017 um 16:05 schrieb Noel Kuntze:
> On 22.03.2017 15:37, Thomas Creutz wrote:
>> Works:
>>     ping from 192.168.0.254 -> 192.168.2.254
>> Don't Work:
>>    ping from 192.168.0.254 -> 192.168.2.102 (example - host firewall is open for icmp, and ping from local router to the host works)
>>
>> The statusall command also don't show me, that the subnet is routed. And when I try to "route" it I get this:
> There are several problems.
> 1) the default firewall layout and the LUCI management don't with policy based IPsec. You need to rework it manually and manage the rules manually.

ok, but the other tunnel (conn1 <> conn2) is working good (sorry forgot 
to mention it before) in both directions.
conn2new is working only in one direction - from example 192.168.2.101 
to 192.168.0.1. But not in the other direction.

Have you any example, how it can be reworked?

> 2) The MASQUERADE or SNAT rules in the *nat tables SNAT all the traffic. You need to except IPsec protected traffic from the SNAT/MASQUERADE rules.[1]
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems
>

I have this rule on both conn2 and conn2new routers as custom rules:

iptables -t nat -A postrouting_rule -d 192.168.0.0/24 -j ACCEPT

and this on conn1 router

iptables -t nat -A postrouting_rule -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A postrouting_rule -d 192.168.2.0/24 -j ACCEPT

So it seems the same - or I miss still something?

Regards,
Thomas



More information about the Users mailing list