[Swan] Site-to-site with public member addresses, routing trouble

Paul Wouters paul at nohats.ca
Wed Jul 6 14:30:36 UTC 2016

On Wed, 6 Jul 2016, Jesse Butcher wrote:

> We have successfully established SA's with no errors but I am having trouble configuring the routing on our side.

You do not need to manually change any routing for IPsec to work.

More likely, you are NATing packets meant for IPsec. You might need
to update your SNAT or MASQUERADE rules to not apply when the packets
are meant for IPsec tunnels.

something like:

iptables -t nat -I POSTROUTING -s -o eth+ -m policy --dir out --pol none -j MASQUERADE

This would ensure packets that have a --pol ipsec would not get NAT'ed.


More information about the Swan mailing list