On mån, 2014-04-28 at 13:20 +0200, Martin Willi wrote: > > So how can I manually add routes for subnets to the tunnel? > > You can't. The negotiated policy does not allow such traffic, hence your > peer won't accept non-matching traffic from the tunnel. > > Of course you can do some NAT to map traffic to addresses that are part > of the negotiated tunnel. See [1] for an example how this can be done > with virtual IPs.
Could you give me some command line examples? I have been trying now and I do not seem to be able to get the traffic into the tunnel. Local IP: 192.168.1.67 Virtual IP: 169.254.254.18 Remote IP: 1.2.3.4 Other subnet I want to access: 4.3.2.0/24 I get a CHILD_SA conn established ... 169.254.254.19/32 === 1.2.3.4/32 I can see the policy and state and table 220 stuff, all looks good. If I do ip xfrm montor and ping the remote IP I can see that it goes via the tunnel. At this point I've tried SNAT'ing any traffic to 4.3.2.0/24 to 169.254.254.19, adding routes both in table 220 and outside. No success. Thanks for the help so far! -- Jerry Lundström - Software Engineer .SE - The Internet Infrastructure Foundation http://www.iis.se/
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
