IPSec site2site tunnel + vpn

vn flag

In our research project, we needed to deploy a server "Molly" at another company. They made us set up a IPSec tunnel to their firewall/gateway and from there, the comms are forwarded to our server. I configured StrongSwan on our gateway machine "Dolly" and this works pretty ok. Dolly has a public address, say, and a virtual address, needed for site2site tunnel attached to the same network card "eth0". On the other side, Molly has While I'm logged on to Dolly, I can ping Molly at this address without any problem, despite the fact that the routing is not explicitly set up by StrongSwan (the subnet does not appear in the routing table)

I would like to give our team access to Molly. Dolly (our gateway) is on a big network, so I though of creating a vpn run by Dolly where the team members can connect. I configured OpenVPN with as the subnet address. OpenVPN sets on its "tap0" device, I can connect to it, and I get on my OpenVPN client's tap interface. I can ping

So, I thought that I can simply (it wasn't!) bridge eth0 and tap0 on Dolly under br0, thus all messages traversing OpenVPN network would be made available for the StrongSwan tunnel. If anybody on the OpenVPN subnetwork sent packets to, they would show up on the bridge device on Dolly and, to the best of my understanding, would be pulled into the tunnel due to iptables settings of StrongSwan.

Yet, it doesn't happen... Pinging - and anything else - from any vpn member (e.g. is not possible, it only works from Dolly ( Restarting the tunnel with the bridge already in place goes smoothly but doesn't change the situation. I tried adding a routing rule on the client computer ( saying to use as a gateway to but for some reason it rejects it ("Error: either "to" is duplicate, or "gw" is a garbage.").

I'm lost. Has anybody actually manage to achieve this sort of configuration?

Thanks in advance!


Michael Hampton avatar
cz flag
What was the command that gave the error?
vn flag
So, the "big" error is that the ping / ssh doesn't reach Molly from the vpn clients. The "small" error appeared when I tried to introduce a routing rule for the vpn clients with "ip route add via dev br0"
Michael Hampton avatar
cz flag
OK? So what was it?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.