[strongSwan] Routing Problem
Thomas Creutz
thomas.creutz at gmx.de
Wed Mar 22 19:45:17 CET 2017
Am 22.03.2017 um 16:05 schrieb Noel Kuntze:
> On 22.03.2017 15:37, Thomas Creutz wrote:
>> Works:
>> ping from 192.168.0.254 -> 192.168.2.254
>> Don't Work:
>> ping from 192.168.0.254 -> 192.168.2.102 (example - host firewall is open for icmp, and ping from local router to the host works)
>>
>> The statusall command also don't show me, that the subnet is routed. And when I try to "route" it I get this:
> There are several problems.
> 1) the default firewall layout and the LUCI management don't with policy based IPsec. You need to rework it manually and manage the rules manually.
ok, but the other tunnel (conn1 <> conn2) is working good (sorry forgot
to mention it before) in both directions.
conn2new is working only in one direction - from example 192.168.2.101
to 192.168.0.1. But not in the other direction.
Have you any example, how it can be reworked?
> 2) The MASQUERADE or SNAT rules in the *nat tables SNAT all the traffic. You need to except IPsec protected traffic from the SNAT/MASQUERADE rules.[1]
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems
>
I have this rule on both conn2 and conn2new routers as custom rules:
iptables -t nat -A postrouting_rule -d 192.168.0.0/24 -j ACCEPT
and this on conn1 router
iptables -t nat -A postrouting_rule -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A postrouting_rule -d 192.168.2.0/24 -j ACCEPT
So it seems the same - or I miss still something?
Regards,
Thomas
More information about the Users
mailing list