Hello everyone. I have the following setup: I have a strongSwan server on a public ip which has no local subnet behind it. Now if I connect to it with strongSwan from my local machine which is on a local network behind a router, I can connect to it, ping it and use the services of my server just fine.
The problem: I want to route all my internet traffic through the server and the local traffic should stay on the local net. No matter what I do, I cannot get this to work. If I use the config at the end of this mail, I end up with those policies on the client: src 0.0.0.0/0 dst SERVER_IP/32 dir fwd priority 2000 tmpl src SERVER_IP dst 192.168.2.132 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 172.31.25.1/32 dir in priority 2000 tmpl src SERVER_IP dst 192.168.2.132 proto esp reqid 1 mode tunnel src 172.31.25.1/32 dst 0.0.0.0/0 dir out priority 1680 tmpl src 192.168.2.132 dst SERVER_IP proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 Now _all_ traffic is routed through the tunnel, no matter if it is for the local network or not. If I comment the appropriate LEFT|RIGHTSUBNET=0.0... lines, I get the following policies: src SERVER_IP/32 dst 172.31.25.1/32 dir fwd priority 1680 tmpl src SERVER_IP dst 192.168.2.132 proto esp reqid 1 mode tunnel src SERVER_IP/32 dst 172.31.25.1/32 dir in priority 1680 tmpl src SERVER_IP dst 192.168.2.132 proto esp reqid 1 mode tunnel src 172.31.25.1/32 dst SERVER_IP/32 dir out priority 1680 tmpl src 192.168.2.132 dst SERVER_IP proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 3 priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 dir 4 priority 0 I tried almost everything so far but I cannot come up with a working solution. By the way, table 220 is always empty on the client side. I am using strongswan 4.3.6 on kernel 2.6.32.8 (server and client). I would really appreciate any help or hints what else I could do to fix this. Thanks a lot in advance for taking the care. Best regards matthias Configuration: SERVER) config setup nat_traversal=yes charonstart=yes plutostart=no ca "XXX CA" cacert=ca.cert.der auto=add conn "XXX" left=%defaultroute leftcert=XXX leftsendcert=never leftsubnet=0.0.0.0/0 right=%any rightsourceip=172.31.25.0/24 rightcert=XXX installpolicy=yes keyexchange=ikev2 mobike=yes auto=add Configuration: CLIENT) config setup nat_traversal=yes charonstart=yes plutostart=no ca "XXX CA" cacert=ca.cert.der auto=add conn "XXX" left=%defaultroute leftsourceip=%config rightsubnet=0.0.0.0/0 leftcert=XXX right=XXX rightcert=XXX installpolicy=yes keyexchange=ikev2 mobike=yes auto=add _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users