To check your routing tables, you can use `ip route get SOME_IP_ADDRESS`. You can also inspect the routing tables with `ip route`. One non-obvious thing is strongswan may install an additional route table. You can see all the tables that exist with `ip rule`. The one strongswan makes is called simply "220". `ip route` will show the main table, and the 220 table can be show with `ip route list table 220`. With the usual way the rules are set (ip rule), anything in table 220 will override the main table.
In my case I found it best to disable strongswan's management of the route table and ip addresses with the `charon.install_routes = no` and `charon.install_virtual_ip = no` settings. I handle all of it in my own networking scripts. On Thu, May 24, 2018 at 11:24 AM Gilles Printemps <gprinte...@gmail.com> wrote: > Some updates. > I'm now able to create the vti interface and I have an address assigned to > the vti > > Result of "ifconfig" > vti0 Link encap:IPIP Tunnel HWaddr > inet addr:10.3.188.149 P-t-P:10.3.188.149 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1 > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) > > Can someone confirm I have now to route all the marked packets to this > interface to go through the VPN? > if the address assigned to the vti can be seen as a gateway for the VPN? > > > FYI, following files have been updated. > > [/etc/ipsec.conf] > >> conn VPN >> keyexchange=ike >> dpdaction=clear >> dpddelay=300s >> > leftupdown=/etc/ipsec.script.sh >> left=%defaultroute >> leftsourceip=%config4 >> leftauth=eap-mschapv2 >> eap_identity=gprintemps >> right=free-nl.hide.me >> rightauth=pubkey >> rightid=%any >> rightsubnet=0.0.0.0/0 >> auto=route >> mark=2 > > > [/etc/ipsec.script.sh] > >> #!/bin/bash >> set -o nounset >> set -o errexit >> VTI_IF="vti0" >> case "${PLUTO_VERB}" in >> up-client) >> ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote >> "${PLUTO_PEER}" mode vti \ >> okey "${PLUTO_MARK_OUT%%/*}" ikey >> "${PLUTO_MARK_IN%%/*}" >> ip link set "${VTI_IF}" up >> sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1" >> ip addr add ${PLUTO_MY_SOURCEIP} dev "${VTI_IF}" >> ;; >> down-client) >> ip tunnel del "${VTI_IF}" >> ;; >> esac > > > > On Thu, May 24, 2018 at 12:15 PM, Gilles Printemps <gprinte...@gmail.com> > wrote: > > I already prepared the next step (after fixing the current issue), I've >> created the following script >> >> #! /bin/bash >>> export TABLE_ID="vpn" >>> export VPN_USER="vpn" >>> export VPN_INTERFACE="vti0" >>> export LAN="10.211.55.0/24" >>> >>> # Flush iptables rules >>> iptables -F -t nat >>> iptables -F -t mangle >>> iptables -F -t filter >>> # Mark packets from $VPN_USER >>> iptables -t mangle -A OUTPUT ! --dest $LAN -m owner --uid-owner >>> $VPN_USER -j MARK --set-mark 0x1 >>> iptables -t mangle -A OUTPUT ! --src $LAN -j MARK --set-mark 0x1 >>> # Deny $VPN_USER to access other interfaces than lo >>> iptables -A OUTPUT ! -o lo -m owner --uid-owner $VPN_USER -J DROP >>> # Allow $VPN_USER to access lo and VPN interfaces >>> iptables -A OUTPUT -o lo -m owner --uid-owner $VPN_USER -j ACCEPT >>> iptables -A OUTPUT -o $VPN_INTERFACE -m owner --uid-owner $VPN_USER -j >>> ACCEPT >>> >>> # Allow response from $VPN_INTERFACE >>> iptables -A INPUT -i $VPN_INTERFACE -m conntrack --ctstate ESTABLISHED >>> -j ACCEPT >>> # Masquarade packets on $VPN_INTERFACE >>> iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -j MASQUERADE >>> >>> # Routing rules >>> ip route replace default via $GATEWAY table $TABLE_ID >>> ip route append default via 127.0.0.1 dev lo table $TABLE_ID >>> ip route flush cache >> >> >> Purpose to is mark all packets from VPN_USER and to redirect them to the >> ipsec interface created by the the configuration >> I'm planning to do it with the following command: >> >>> ip rule add from all fwmark 0x1 lookup vpn >> >> >> Best Regards, >> Gilles >> >> >