Hi there,

I recently tried to add an strongswan (4.5.2)  ipsec (site-to-site) tunnel to our "uplink router" (debian 7.1 linux/iptables 1.4.14)  but I do not understand how I could add a policy allowing NAT/Routing or any kind of access to the clients behind this tunnel.  Without FW-Builder rules loaded, the tunnel is up and running, routing is working but this ipsec implementation does not create a virtual interface (like ipsec0) anymore neither does it use regular routing entries but ip xfrm policies instead.

As soon as I load ANY fwbuilder created rules-scripts no packages are transported through the tunnel anymore - no matter if Strongswan itself adds his automatic iptables rules or not . Of course ESP/AH packages are NOT blocked by the firewal l (SA can be established with "Shields up")

Any hints or ideas how to fix this ?

Best regards,

Andreas Balg