Hi Graham, what if you NAT the clients behind Jupiter to Jupiter's virtual IP? As far as I remember this should work.
Regards Andreas Graham Hudspith wrote: >> the problem might be that although jupiter's satellites are NAT-ed to > jupiter's eth0 address 192.168.50.159, jupiter itself uses the virtual > IP address 10.10.2.147 within the IPsec tunnel. I know >> from personal experience that NAT-ing clients behind a gateway >> to the gateway's outer IP address will successfully route traffic > through the tunnel (at least with Linux kernels >= 2.1.16 which >> fixed a longstanding bug) but since the POSTROUTING -t nat chain is the > last hook in the path it will not heed the source routing rule defined > by table 220. Can you do without a virtual IP on jupiter? > > Andreas, > > Thanks for that swift reply. > > I tried setting up the tunnel WITHOUT specifying the sourceip option > in the ipsec.conf. > > The tunnel does come up, and the left side of the tunnel is assigned > jupiter's IP address. > > However, if I send a ping from jupiter to one of saturn's satellites, > the pings go down the tunnel to the remote > security-gateway (saturn) and onwards to the far subnet (saturn's > satellites), BUT the reply seems to come from saturn back cleartext on the > LAN rather than through the tunnel. > > The ping replies are not routed back to the originator on jupiter. > > If I send a ping from one of jupiter's satellites to one of saturn's > satellites, this does now go down the tunnel. However, the results are > the same, in that the ping reply is sent cleartext from saturn on the > LAN rather than down the tunnel. > > Any ideas what I can do to fix this (only allowed to alter jupiter, > sadly) ? > > Regards, > > Graham. ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users