[Swan] Site-to-site with public member addresses, routing trouble
paul at nohats.ca
Wed Jul 6 14:30:36 UTC 2016
On Wed, 6 Jul 2016, Jesse Butcher wrote:
> We have successfully established SA's with no errors but I am having trouble configuring the routing on our side.
You do not need to manually change any routing for IPsec to work.
More likely, you are NATing packets meant for IPsec. You might need
to update your SNAT or MASQUERADE rules to not apply when the packets
are meant for IPsec tunnels.
iptables -t nat -I POSTROUTING -s 10.0.0.0/8 -o eth+ -m policy --dir out --pol none -j MASQUERADE
This would ensure packets that have a --pol ipsec would not get NAT'ed.
More information about the Swan