Hi Boris, > -A POSTROUTING -o wlan_cli -j MASQUERADE
Your MASQUERADE rule probably NATs the traffic to the physical IP, so it won't match the outbound IPsec policies (VIP -> 0.0.0.0/0) and therefore is not tunneled. If you want to actually NAT to the virtual IP then you have to install an SNAT rule in a customized updown script like in the ikev2/nat-virtual-ip scenario [1] (script at [2]). Regards, Tobias [1] https://www.strongswan.org/testing/testresults/ikev2/nat-virtual-ip/ [2] https://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown;hb=HEAD _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
