[strongSwan] Routing Problem

Thomas Creutz thomas.creutz at gmx.de
Thu Mar 23 18:17:13 CET 2017 

Hi again!

Am 22.03.2017 um 19:45 schrieb Thomas Creutz:
> Am 22.03.2017 um 16:05 schrieb Noel Kuntze:
>> There are several problems.
>> 1) the default firewall layout and the LUCI management don't with 
>> policy based IPsec. You need to rework it manually and manage the 
>> rules manually.
>
> Have you any example, how it can be reworked?
>
>> 2) The MASQUERADE or SNAT rules in the *nat tables SNAT all the 
>> traffic. You need to except IPsec protected traffic from the 
>> SNAT/MASQUERADE rules.[1]
>>
>> [1] 
>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems
>>
>
> I have this rule on both conn2 and conn2new routers as custom rules:
>
> iptables -t nat -A postrouting_rule -d 192.168.0.0/24 -j ACCEPT
>
> and this on conn1 router
>
> iptables -t nat -A postrouting_rule -d 192.168.1.0/24 -j ACCEPT
> iptables -t nat -A postrouting_rule -d 192.168.2.0/24 -j ACCEPT
>
> So it seems the same - or I miss still something?
>

After I revisited my firewall settings in detail, I found my mistake! We 
don't need the custom rules!

On OpenWRT/LEDE we need to create one new firewall zone with all remote 
subnets or one zone per subnet, to have more control.

On my first setup I had the zone vpn, but on the webif you cant see the 
subnet definition (where I was looking for the settings) - thats why I 
had not transfered the settings to the new router and I also didnt add 
the new subnet to conn1 router.

My Example for conn1:

config zone
         option name 'vpn_conn2'
         option input 'ACCEPT'
         option output 'ACCEPT'
         option forward 'ACCEPT'
         list subnet '192.168.1.0/24'
         option family 'ipv4'

config zone
         option name 'vpn_conn2new'
         option input 'ACCEPT'
         option output 'ACCEPT'
         option forward 'ACCEPT'
         list subnet '192.168.2.0/24'
         option family 'ipv4'

config forwarding
         option dest 'lan'
         option src 'vpn_conn2'

config forwarding
         option dest 'vpn_conn2'
         option src 'lan'

config forwarding
         option dest 'lan'
         option src 'vpn_conn2new'

config forwarding
         option dest 'vpn_conn2new'
         option src 'lan'

More information about the Users mailing list