Noel, The local subnets within the vpn tunnels should not need to be masqueraded. In fact if masquerading is turned on in order for your local subnets to route out though your ISP then you need to turn off the masquerading for when you're talking to the other local subnet.
Try putting this in your iptables before the masquerade Iptables -t nat -I POSTROUTING -s 172.16.19.0/24 -d <remote subnet> -o eth0 -j ACCEPT And then on the other side Iptables -t nat -I POSTROUTING -d 172.16.19.0/24 -s <remote subnet> -o eth0 -j ACCEPT Replace <remote subnet> as required, This is assuming of course that eth0 is Ethernet card which your ISP is located on. Sincerely, Henry R. Prins Jr. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Noel Kuntze Sent: Thursday, January 24, 2013 5:25 PM To: [email protected] Subject: [strongSwan] iptables rule for masquerading Hello, I need to masquerade the traffic coming out of the tunnel with the subnet 172.16.19.0/24, but the simple rule "iptables -t nat -A POSTROUTING -s 172.16.19.0/24 -o eth0 -j MASQUERADE" doesn't work for some reason. It would be nice to know what I'm doing wrong here and what the correct rule would be. Sincerely, Noel Kuntze config: conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=3 keyexchange=ikev2 esp=aes256-sha256 ike=aes256-sha256-modp2048 tfc=%mtu dpdaction=restart dpddelay=10 dpdtimeout=60 conn home leftfirewall=yes lefthostaccess=yes left=<the private ip of the server> leftsubnet=<my private subnet> leftid=<my dns name> leftcert=strongswan.pem leftdns=<the private ip of the server> rightsourceip=172.16.19.0/24 auto=add rightca=<CA DN> right=%any rightallowany=yes _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
