[strongSwan] Routing all traffic based on a virtual IP to a different virtual IP

[joekokker at epios.eu]

Dear all,

I am trying to solve a specific routing scenario with computers 
connected with strongswan. The setup is with virtual IPs in the 
10.0.0.0/14 range.

Computer A 10.0.1.1 (behind NAT) --> Gateway (public IP and assigned 
10.0.0.1/14 address) --> Computer B (behind NAT) 10.0.1.2 --> Internet 
of Computer B

Computer C 10.0.1.3 (behind NAT) --> Gateway (public IP and assigned 
10.0.0.1/14 address) --> Computer D 10.0.1.2 (behind NAT) --> Internet 
of Computer D

I want to be able to access the internet of computer B or D by computer 
A and C. Forwarding is enabled on the gateway and the computers can 
individually reach each other. The entire traffic from a specific IP 
(e.g. 10.0.1.1) should be forwarded by the gateway to another 
destination (e.g. 10.0.1.2) were masquerading occurs.

I tried with the Multi-ISP scenario of Shorewall, which I am using, but 
it did not work. It somehow needs to be able to get the MAC address of 
the router it should forward to (computer B and D).

I also tried to directly modify the routing table as follows:

echo 200 COMPA >> /etc/iproute2/rt_tables
ip route add 0.0.0.0 dev eth0 table COMPA
ip route add default via 10.0.1.2 table COMPA

#Then the rules to select the route table based on the source address:
ip rule add from 10.0.1.1 dev eth0 table COMPA

Unfortunately this leads to no success. The packages arrive at the 
gateway but are not forwarded. However the 'ip route from 10.0.1.1 to 
8.8.8.8' shows that the traffic should go through the gateway 10.0.1.2.

The computers are connected to the gateway as hosts. No subnet was 
specified. But I cannot imagine defining a leftsubnet of 0.0.0.0, on 
multiple computers reaching the gateway.

I am not sure which direction I should go now. I would be really happy 
if someone could tell me how I can go on. I did not include the configs, 
because to me it seems just like a routing issue.

Thanks in advance!

Best
Joe