linux – How to configure the StrongSwan VPN server as a router

I have a StrongSwan VPN server running Ubuntu 16.04.5 LTS. The public IP is 51.x.x.x. The site-to-site configuration between my StrongSwan VPN server and the other VPN server, which is an ASA cisco firewall with public IP, is working properly.

Once the tunnel is enabled, I could ping and telnet to the private server behind the Cisco ASA firewall. The server is not accessible through open Internet access except through the VPN tunnel. Note that the IP address is a public IP address.

I've configured this strongswan VPN server for it to act as a bridge between my private network and the cisco ASA firewall (my Strongswan vpn server private IP is That is, I want to be able to ping or telnet in from, via the Strongswan VPN server, acting as a router.

My VPN server has two NICS: Ens18 that carries a public IP address and Ens19 with a private IP address.

I've defined two areas on my VPN server: public and internal areas. I've assigned a public interface to a public zone and a private interface to an inner zone

I managed to execute this command on the packet transmission but I do not see its sudo effect firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o ens18 -j MASQUERADE -s -d

When I try to ping, it fails. 100% packet loss.

Here are my configurations on the Strongswan VPN server:

sore @ ubuntu-vpnserver: ~ $ firewall-cmd sudo –list-all –zone = public [sudo] password for sore: public (default, active) interfaces: ens18 sources: services: dhcpv6-client ports ssh ipsec: 4500 / udp 500 / protocols udp: masquerade: yes following ports: port = 4500: proto = udp: toport = 443: toaddr = port = 500: proto = udp: toport = 443: toaddr = port = 4500: proto = udp: toport = 443: toaddr = port = 500: proto = udp: toport = 443: toaddr = icmp blocks: rich rules: rule protocol value = "ah" accept rule protocol value = "esp" accept

Here is my file / etc / network / interfaces

auto ens18 iface ens18 inet static address net mask broadcast post-up route add 54.36.12x.x dev ens18 post-up route add default gw 54.36.12x.x pre-descent road del 54.36.12x .x dev ens18 pre-down route of default gw 56.36.12x.x DNS name servers 213.186.xx

auto ens19 iface ens19 inet static address net mask getway