Hello Joe, Configure traffic selectors that negotiate the policies you require. The traffic will follow them.
Kind regards Noel Am 23.01.19 um 00:15 schrieb joekok...@epios.eu: > Dear all, > > I am trying to solve a specific routing scenario with computers connected > with strongswan. The setup is with virtual IPs in the 10.0.0.0/14 range. > > Computer A 10.0.1.1 (behind NAT) --> Gateway (public IP and assigned > 10.0.0.1/14 address) --> Computer B (behind NAT) 10.0.1.2 --> Internet of > Computer B > > Computer C 10.0.1.3 (behind NAT) --> Gateway (public IP and assigned > 10.0.0.1/14 address) --> Computer D 10.0.1.2 (behind NAT) --> Internet of > Computer D > > I want to be able to access the internet of computer B or D by computer A and > C. Forwarding is enabled on the gateway and the computers can individually > reach each other. The entire traffic from a specific IP (e.g. 10.0.1.1) > should be forwarded by the gateway to another destination (e.g. 10.0.1.2) > were masquerading occurs. > > I tried with the Multi-ISP scenario of Shorewall, which I am using, but it > did not work. It somehow needs to be able to get the MAC address of the > router it should forward to (computer B and D). > > I also tried to directly modify the routing table as follows: > > echo 200 COMPA >> /etc/iproute2/rt_tables > ip route add 0.0.0.0 dev eth0 table COMPA > ip route add default via 10.0.1.2 table COMPA > > #Then the rules to select the route table based on the source address: > ip rule add from 10.0.1.1 dev eth0 table COMPA > > Unfortunately this leads to no success. The packages arrive at the gateway > but are not forwarded. However the 'ip route from 10.0.1.1 to 8.8.8.8' shows > that the traffic should go through the gateway 10.0.1.2. > > The computers are connected to the gateway as hosts. No subnet was specified. > But I cannot imagine defining a leftsubnet of 0.0.0.0, on multiple computers > reaching the gateway. > > I am not sure which direction I should go now. I would be really happy if > someone could tell me how I can go on. I did not include the configs, because > to me it seems just like a routing issue. > > Thanks in advance! > > Best > Joe
signature.asc
Description: OpenPGP digital signature
