-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Jerry,
I use a command like this in my updown script to achieve exactly that. iptables -I POSTROUTING 1 -t nat -s 192.168.178.0/24 -d 141.79.0.0/16 -j SNAT --to-source $PLUTO_MY_SOURCEIP -m policy --dir out --pol none I think that should work quite well. Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 28.04.2014 15:03, schrieb Jerry Lundström: > On mån, 2014-04-28 at 13:20 +0200, Martin Willi wrote: >>> So how can I manually add routes for subnets to the tunnel? >> >> You can't. The negotiated policy does not allow such traffic, hence your >> peer won't accept non-matching traffic from the tunnel. >> >> Of course you can do some NAT to map traffic to addresses that are part >> of the negotiated tunnel. See [1] for an example how this can be done >> with virtual IPs. > > Could you give me some command line examples? I have been trying now and > I do not seem to be able to get the traffic into the tunnel. > > Local IP: 192.168.1.67 > Virtual IP: 169.254.254.18 > Remote IP: 1.2.3.4 > Other subnet I want to access: 4.3.2.0/24 > > I get a CHILD_SA conn established ... 169.254.254.19/32 === 1.2.3.4/32 > > I can see the policy and state and table 220 stuff, all looks good. If I > do ip xfrm montor and ping the remote IP I can see that it goes via the > tunnel. > > At this point I've tried SNAT'ing any traffic to 4.3.2.0/24 to > 169.254.254.19, adding routes both in table 220 and outside. No success. > > Thanks for the help so far! > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTXlKVAAoJEDg5KY9j7GZYSEEP/23qDO/FPgxdR+6/3p6uWbq4 AAFok7eSzufPhSrNyRYOJeBIe4IJ4MzDIBgPL7ux9PRZFfWo8l0ERkXSsZ8PTHys wBGvGuiKx1pkLYUIkWGHV4G0gkgDpsBzdbQsxHNCVw0ge5/1itUcUasBfx3TSRwv f8lk8tBpxMsbariGHQVQK8Ti0kfbRErBaCfS3639lnjJckSZPy0IRjGLux01o4lL JKZHWx8xY/EHlqeilfltvMdnmv5ZzJEl2oV8J4TCJu0YvBm5q1sQ0TAUQm+0mp3T sNfQc3YYaO6HeGQcRPeBqYfrvq18XTHX5IIqVT5d7Fs0mSDHx6MrMgHa0E1+vhlz nKBEUoSrVi0TmJrbKAkPrPPOMx0/Vo3hj1lUjoSz8WXNR/ufutX3HfQYETypbNZS xgyySAQ1HiIqWHUy2zoL6V2nHf8MBPx9PVsIXAEyISRJIaY4CubGgDnVjxMrBN/b sTlupkaIP5wGXfEmbCG75zfXveGr4RLoeP/bH0y2rNTA6Fpwe9ovfIxz7xiW0ywF UNm53ci9Bv9C7x2V8M9SxcBTDs158d838MtPQ1El6vdBqT0yjGf48RtBjcVSSYXs SiblcO724lPwZo54XX3zex/bGXAgIjQx7n8r6Q8ZH5oz8ycF4OrEXtX8Wbd6bGWF falq7D34s89/0KL5qfhn =4vS0 -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
