Route traffic through IPSec tunnel with gateway host

iptables ipsec ip-forwarding

Solution 1:

Since the connection uses a virtual IP address (leftsourceip=%config, which results in 10.10.102.235/32 as local traffic selector), you have to NAT traffic to that address, not the host's physical one you get via MASQUERADE, in order to match the IPsec policies and tunnel the traffic (-I to insert it at the top):

iptables -t nat -I POSTROUTING  -j SNAT --to-source 10.10.102.235

If the virtual IP is not statically assigned (e.g. based on the client's identity) and might change, you could install/delete the SNAT rule dynamically in a custom updown script (configured via leftupdown) to which the virtual IP is passed in $PLUTO_MY_SOURCEIP.

As you originally said that this is to be a split-tunneling setup (which the remote traffic selector of 0.0.0.0/0 does not actually reflect), you could also add e.g. -d 10.10.0.0/16 to the SNAT rule to only process packets to that subnet, other traffic would not get natted and tunneled (you can keep the MASQUERADE rule for that traffic). This could also be enforced via IPsec policy (rightsubnet=10.10.0.0/16), which you then get in $PLUTO_PEER_CLIENT in the updown script.

Related

Apache/ModSecurity custom error page
WDS "Configure Server" fails. "Share name is already in use on this server"
Give non root users permission to use one port
SSL with NGINX with .pem files
IPIP virtual interface experiencing discards
ProFTPd config via SFTP and FTP
Apache daily logrotate
get previous row's value and calculate new column pandas python
Python Selenium Chrome Webdriver [duplicate]
Force GCC to notify about undefined references in shared libraries
inotify with NFS
How do you get a directory listing in C?