[strongSwan] General Question about NFLOG

Thomas Will thomas.will at xinux.de
Wed Sep 13 20:20:55 CEST 2017


I have a general question about nflog.

When i establish a vpn-con like - to -

and on my site there is an interface on vpn-gw like, i am 

to capture the output decap traffic in nflog:5 with

iptables -t mangle -I POSTROUTING  -m policy --pol ipsec --dir out -j 
NFLOG --nflog-group 5


tcpdump -ni nflog:5

But when i establish a vpn-conn like - to -

and my local subnet is still ... so i have to snat my 
subnet  to 192.168..11.0/24

iptables -t nat -A POSTROUTING -s -d  
-o $WAN -j NETMAP --to

there ist no route in table 220 ... and i am not able to capture the 
decapsulated IPsec out traffic


is there any way to do this anyway?


Thomas Will

Xinux e.K.
Wichernstrasse 18
66482 Zweibruecken

Amtsgericht Zweibruecken
HRA 1518

P: +49 6332 44040
F: +49 6332 899227
M: +49 170 5218548
M: +49 176 97497102

E: thomas.will at xinux.de
W: http://www.xinux.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/716c3169/attachment.html>

More information about the Users mailing list