GOT IT! It was a combination but the flaw was that net.ipv4.ip_forward = 1 didn't actually get set on cloud-init :(
The combination (for the record) was net.ipv4.ip_forward = 1 ip route add 10.0.0.0/20 via ${GATEWAY1} dev eth1 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Kind regards, Christian Salway IT Consultant - Naimuri T: +44 7463 331432 E: christian.sal...@naimuri.com A: Naimuri Ltd, Capstan House, Manchester M50 2UW > On 27 Jul 2018, at 09:36, Christian Salway <christian.sal...@naimuri.com> > wrote: > > I have also tried setting the clients to use a 192.168.5.0/24 ip range and > that doesnt work either :/ > > I suspect its something I'm missing with StrongSwan and setting a route back > to the client ip. > > >> On 27 Jul 2018, at 07:18, Christian Salway <christian.sal...@naimuri.com >> <mailto:christian.sal...@naimuri.com>> wrote: >> >> Thanks, Jafar, >> >> That didn't solve it though. >> >> radius: #12, ESTABLISHED, IKEv2, 2f7f6a6d36925325_i 63ab06e78f39d832_r* >> local '***********' @ *********[4500] >> remote '192.168.0.31' @ *********[4500] EAP: 'christian.salway' [10.0.0.10] >> AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 >> established 0s ago, rekeying in 13009s >> passive: CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE >> child_sa_1: #12, reqid 5, INSTALLED, TUNNEL-in-UDP, >> ESP:AES_CBC-256/HMAC_SHA2_256_128 >> installed 0s ago, rekeying in 3491s, expires in 3960s >> in c4b386cb, 0 bytes, 0 packets >> out 066b00fc, 0 bytes, 0 packets >> local 10.0.0.0/20 >> remote 10.0.0.10/32 >> >> # ip r >> default via 172.31.16.1 dev eth0 >> 10.0.0.0/22 via 172.31.16.1 dev eth0 >> 10.0.0.0/20 via 172.31.48.1 dev eth1 >> 172.31.16.0/20 dev eth0 proto kernel scope link src 172.31.21.144 >> 172.31.48.0/20 dev eth1 proto kernel scope link src 172.31.51.247 >> >> >> On my OSX >> >> $ netstat -nr >> Routing tables >> >> Internet: >> Destination Gateway Flags Refs Use Netif >> Expire >> default 192.168.0.1 UGSc 83 0 en0 >> default link#13 UCSI 0 0 ipsec0 >> 10/20 10.0.0.1 UGSc 1 0 ipsec0 >> 10.0.0.1 10.0.0.1 UH 2 0 ipsec0 >> >> >>> On 26 Jul 2018, at 23:00, Jafar Al-Gharaibeh <ja...@atcorp.com >>> <mailto:ja...@atcorp.com>> wrote: >>> >>> ip route add 10.0.0.0/22 dev eth0 via 172.31.0.1 >> >