Hi Richard, the table 220 source IP routing rule applies to packets originating from the VPN gateway itself, only . If you want roadwarriors from a subnet behind the GW to assume this address then you have to NAT them to the GW's address. Since the table 220 rule usually maps the GW's source address to the local interface on the subnet I don't see the sense of the roadwarriors belonging to this subnet to assume the gateway's internal address.
Regards Andreas On 05.11.2016 18:01, Richard Chan wrote:
Hi, in the roadwarrior configuration, from a conceptual point of view, why doesn't table 220 change the source IP address of forwarded packets (say the roadwarrior has a subnet behind it)? # ip ro sho table 220 10.0.0.0/8 <http://10.0.0.0/8> via 192.168.1.1 dev eth0 proto static src 10.2.0.3 # ip rule show 0: from all lookup local 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default roadwarrior has a separate subnet 192.168.2.0/24 <http://192.168.2.0/24> and is forwarding/NAT'ing packets. When I ping a host on the central site LAN - OUTPUT chain sees the source IP address as 10.2.0.3 (table 220 is working!) - FORWARD chain sees the source IP address as 192.168.2.X (host cannot be reached until these packets are SNAT'ed to 10.2.0.3)
Richard Chan
====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users