Re: [strongSwan] Routing Problem

Thu, 23 Mar 2017 10:17:48 -0700 

Hi again!

Am 22.03.2017 um 19:45 schrieb Thomas Creutz:

Am 22.03.2017 um 16:05 schrieb Noel Kuntze:

There are several problems.
1) the default firewall layout and the LUCI management don't with policy based IPsec. You need to rework it manually and manage the rules manually. 

Have you any example, how it can be reworked?


2) The MASQUERADE or SNAT rules in the *nat tables SNAT all the 
traffic. You need to except IPsec protected traffic from the 
SNAT/MASQUERADE rules.[1]



[1] 
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems




I have this rule on both conn2 and conn2new routers as custom rules:

iptables -t nat -A postrouting_rule -d 192.168.0.0/24 -j ACCEPT

and this on conn1 router

iptables -t nat -A postrouting_rule -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A postrouting_rule -d 192.168.2.0/24 -j ACCEPT

So it seems the same - or I miss still something?




After I revisited my firewall settings in detail, I found my mistake! We 
don't need the custom rules!



On OpenWRT/LEDE we need to create one new firewall zone with all remote 
subnets or one zone per subnet, to have more control.



On my first setup I had the zone vpn, but on the webif you cant see the 
subnet definition (where I was looking for the settings) - thats why I 
had not transfered the settings to the new router and I also didnt add 
the new subnet to conn1 router.


My Example for conn1:

config zone
        option name 'vpn_conn2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list subnet '192.168.1.0/24'
        option family 'ipv4'

config zone
        option name 'vpn_conn2new'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list subnet '192.168.2.0/24'
        option family 'ipv4'

config forwarding
        option dest 'lan'
        option src 'vpn_conn2'

config forwarding
        option dest 'vpn_conn2'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn_conn2new'

config forwarding
        option dest 'vpn_conn2new'
        option src 'lan'

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to