[strongSwan] Routing

Christian Salway christian.salway at naimuri.com
Fri Jul 27 11:54:15 CEST 2018 

GOT IT!

It was a combination but the flaw was that net.ipv4.ip_forward = 1 didn't actually get set on cloud-init :(

The combination (for the record) was
net.ipv4.ip_forward = 1
ip route add 10.0.0.0/20 via ${GATEWAY1} dev eth1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Kind regards,

Christian Salway
IT Consultant - Naimuri

T: +44 7463 331432
E: christian.salway at naimuri.com
A: Naimuri Ltd, Capstan House, Manchester M50 2UW

> On 27 Jul 2018, at 09:36, Christian Salway <christian.salway at naimuri.com> wrote:
> 
> I have also tried setting the clients to use a 192.168.5.0/24 ip range and that doesnt work either :/
> 
> I suspect its something I'm missing with StrongSwan and setting a route back to the client ip.
> 
> 
>> On 27 Jul 2018, at 07:18, Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>> wrote:
>> 
>> Thanks, Jafar,
>> 
>> That didn't solve it though.
>> 
>> radius: #12, ESTABLISHED, IKEv2, 2f7f6a6d36925325_i 63ab06e78f39d832_r*
>>   local  '***********' @ *********[4500]
>>   remote '192.168.0.31' @ *********[4500] EAP: 'christian.salway' [10.0.0.10]
>>   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>>   established 0s ago, rekeying in 13009s
>>   passive: CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
>>   child_sa_1: #12, reqid 5, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA2_256_128
>>     installed 0s ago, rekeying in 3491s, expires in 3960s
>>     in  c4b386cb,      0 bytes,     0 packets
>>     out 066b00fc,      0 bytes,     0 packets
>>     local  10.0.0.0/20
>>     remote 10.0.0.10/32
>> 
>> # ip r
>> default via 172.31.16.1 dev eth0 
>> 10.0.0.0/22 via 172.31.16.1 dev eth0 
>> 10.0.0.0/20 via 172.31.48.1 dev eth1 
>> 172.31.16.0/20 dev eth0  proto kernel  scope link  src 172.31.21.144 
>> 172.31.48.0/20 dev eth1  proto kernel  scope link  src 172.31.51.247
>> 
>> 
>> On my OSX
>> 
>> $ netstat -nr
>> Routing tables
>> 
>> Internet:
>> Destination        Gateway            Flags        Refs      Use   Netif Expire
>> default            192.168.0.1        UGSc           83        0     en0
>> default            link#13            UCSI            0        0  ipsec0
>> 10/20              10.0.0.1           UGSc            1        0  ipsec0
>> 10.0.0.1           10.0.0.1           UH              2        0  ipsec0
>> 
>> 
>>> On 26 Jul 2018, at 23:00, Jafar Al-Gharaibeh <jafar at atcorp.com <mailto:jafar at atcorp.com>> wrote:
>>> 
>>> ip route add 10.0.0.0/22 dev eth0 via 172.31.0.1
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180727/d9a53cfc/attachment.html>

More information about the Users mailing list