Sounds like you need policy based IP routing. eg. set up policy routing such that encrypted packets go out the external interface, but the proxy is the next-hop for everything else.
On Thu, 2012-08-23 at 12:50 -0700, S S wrote: > Hi there, > > I'm experimenting with Strongswan and have hit a problem. > > I have a setup working using IKEv2, x509 certs, and virtual IP pool. > However internet traffic is being routed back out the VPN gateway > external interface. I'd like to route the traffic out of a dedicated > proxy server instead. > > The setup is as follows. > > A. VPN gateway with two interfaces; one external interface facing the > internet, one interface on the private subnet (10.0.1.0/24). > > B. Internal services such as a webserver on the private subnet > (10.0.1.0/24). > > C. Proxy server with two interfaces; one external interface facing the > internet (different from the VPN gateway), one interface on the > private subnet (10.0.1.0/24). > > VPN clients are placed in the virtual IP pool 10.0.2.0/24. > > The idea is all traffic from the clients has to go through the tunnel. > As mentioned above I can route clients to the internet popping out > from the VPN gateway. I can also route services B through the proxy C > successfully. However I'm unable to get VPN clients to route through > the proxy in a similar manner. > > It seems that the iptables and table 220 rules always route through > the interface that the connection comes in on (eth0) rather than to > the internal interface (eth1). > > Any ideas how I can correct this? I feel like there should be some > static routes or other rules but I want to be able to scale with > automatic rules added etc. > > Many thanks, > 7 > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
