Noel,

The local subnets within the vpn tunnels should not need to be masqueraded.
In fact if masquerading is turned on in order for your local subnets to route 
out though your ISP then you need to turn off the masquerading for when you're 
talking to the other local subnet.

Try putting this in your iptables before the masquerade

Iptables -t nat -I POSTROUTING -s 172.16.19.0/24 -d <remote subnet> -o eth0 -j 
ACCEPT

And then on the other side

Iptables -t nat -I POSTROUTING -d 172.16.19.0/24 -s <remote subnet> -o eth0 -j 
ACCEPT

Replace <remote subnet> as required,  This is assuming of course that eth0 is 
Ethernet card which your ISP is located on.

Sincerely,

Henry R. Prins Jr.



-----Original Message-----
From: [email protected] 
[mailto:[email protected]] On 
Behalf Of Noel Kuntze
Sent: Thursday, January 24, 2013 5:25 PM
To: [email protected]
Subject: [strongSwan] iptables rule for masquerading

Hello,

I need to masquerade the traffic coming out of the tunnel with the subnet 
172.16.19.0/24, but the simple rule "iptables -t nat -A POSTROUTING -s 
172.16.19.0/24 -o eth0 -j MASQUERADE"
doesn't work for some reason.
It would be nice to know what I'm doing wrong here and what the correct rule 
would be.

Sincerely,

Noel Kuntze

config:

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=3
        keyexchange=ikev2
        esp=aes256-sha256
        ike=aes256-sha256-modp2048
        tfc=%mtu
        dpdaction=restart
        dpddelay=10
        dpdtimeout=60

conn home
        leftfirewall=yes
        lefthostaccess=yes
        left=<the private ip of the server>
        leftsubnet=<my private subnet>
        leftid=<my dns name>
        leftcert=strongswan.pem
        leftdns=<the private ip of the server>
        rightsourceip=172.16.19.0/24
        auto=add
        rightca=<CA DN>
        right=%any
        rightallowany=yes


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to