[strongSwan] Routing all traffic based on a virtual IP to a different virtual IP
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jan 23 00:50:02 CET 2019
Hello Joe,
Configure traffic selectors that negotiate the policies you require. The traffic will follow them.
Kind regards
Noel
Am 23.01.19 um 00:15 schrieb joekokker at epios.eu:
> Dear all,
>
> I am trying to solve a specific routing scenario with computers connected with strongswan. The setup is with virtual IPs in the 10.0.0.0/14 range.
>
> Computer A 10.0.1.1 (behind NAT) --> Gateway (public IP and assigned 10.0.0.1/14 address) --> Computer B (behind NAT) 10.0.1.2 --> Internet of Computer B
>
> Computer C 10.0.1.3 (behind NAT) --> Gateway (public IP and assigned 10.0.0.1/14 address) --> Computer D 10.0.1.2 (behind NAT) --> Internet of Computer D
>
> I want to be able to access the internet of computer B or D by computer A and C. Forwarding is enabled on the gateway and the computers can individually reach each other. The entire traffic from a specific IP (e.g. 10.0.1.1) should be forwarded by the gateway to another destination (e.g. 10.0.1.2) were masquerading occurs.
>
> I tried with the Multi-ISP scenario of Shorewall, which I am using, but it did not work. It somehow needs to be able to get the MAC address of the router it should forward to (computer B and D).
>
> I also tried to directly modify the routing table as follows:
>
> echo 200 COMPA >> /etc/iproute2/rt_tables
> ip route add 0.0.0.0 dev eth0 table COMPA
> ip route add default via 10.0.1.2 table COMPA
>
> #Then the rules to select the route table based on the source address:
> ip rule add from 10.0.1.1 dev eth0 table COMPA
>
> Unfortunately this leads to no success. The packages arrive at the gateway but are not forwarded. However the 'ip route from 10.0.1.1 to 8.8.8.8' shows that the traffic should go through the gateway 10.0.1.2.
>
> The computers are connected to the gateway as hosts. No subnet was specified. But I cannot imagine defining a leftsubnet of 0.0.0.0, on multiple computers reaching the gateway.
>
> I am not sure which direction I should go now. I would be really happy if someone could tell me how I can go on. I did not include the configs, because to me it seems just like a routing issue.
>
> Thanks in advance!
>
> Best
> Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190123/f1f74b5e/attachment.sig>
More information about the Users
mailing list