[Swan] Traffic not routing down tunnel

Paul Wouters paul at nohats.ca
Sun Jan 18 00:37:32 EET 2015

On Sat, 17 Jan 2015, Phil Daws wrote:

> No joy :( its probably compounded by the setup in my lab as-well. Let me break it down:
> Left Side:
> eth0: 37.XXX.XXX.XXX
> eth1:
> eth2:
> eth3:
> Right Side:
> eth0: 88.XXX.XXX.XXX
> eth1:
> eth2:
> eth3:
> have just been able to connect from an address on too so the tunnel is alive but routing must be mangled viz. if I try and connect too it just sits there ?!?! and that should work as my VPN does connect to that IP.  This is without the left/right source ip.
> Getting closer, to understand this, and hopefully working :)

If you want the left server (itself) to be able to reach the right subnets, and
the right server (itself) to be able to reach the left subnets, you have
to ensure that the server's inner IP is used for communicating to those
remote subnets.

so if using


then adding


should do the trick.

However, you could also use your public IP as an additional subnet:


Then you will have explicit IPsec tunnels from your public IP to your
LANs. Less useful if you are dynamic IP. It also means your firewal
rules on the hosts might need to allow those public IPs to private LANs,
whereas with the first trick, your gateway will use a LAN IP so you dont
have to have any firewall rules related to its public IP.

You probably also want a rule along the lines of:

iptables -I POSTROUTING -t nat -d 10/8 -j RETURN

to exclude all subnet tunnel traffic from getting NAT'ed.
(you can add -s 10/8 if not building tunnels with the public IP)

Various ways to shoot yourself in the foot are warned against in "ipsec


More information about the Swan mailing list