I recently tried to add an strongswan
(4.5.2) ipsec (site-to-site) tunnel to our "uplink router"
(debian 7.1 linux/iptables 1.4.14) but I do not understand how I
could add a policy allowing NAT/Routing or any kind of access to the clients
behind this tunnel. Without FW-Builder rules loaded, the tunnel is
up and running, routing is working but this ipsec implementation does not
create a virtual interface (like ipsec0) anymore neither does it use regular
routing entries but ip xfrm policies instead.
As soon as I load ANY fwbuilder created
rules-scripts no packages are transported through the tunnel anymore -
no matter if Strongswan itself adds his automatic iptables rules or not
. Of course ESP/AH packages are NOT blocked by the firewal l (SA can be
established with "Shields up")
Any hints or ideas how to fix this ?