Route a WAN IP over the tunnel
Is there a way to route a specific IP over the tunnel, so that the other end can access this ip via the wan connection of the local box?
E.g. connecting to 18.104.22.168 via the IP of the remote tunnel wan.
I tried to add another phase 2 but this does not seem to work.
Do you have an idea?
It should be fairly simple, much like you said, adding a Phase 2 to both sides should be the heavy lifting part. Beyond that you need firewall rules on the IPsec interface and depending on the outbound NAT settings on the firewall the traffic will exit, it may need some adjustment to its rules.
The ipsec firewall tab is set to allow everything through the tunnel (a rule with a lot of wildcards).
The outbound NAT is set to automatic - ipsec included.
Still, it does not work.
On the overview page, it shows a red arrow pointing downwards where the second tunnel is. It looks like the tunnel is not up but. When looking at the logs, I don't see anything related to the second tunnel.
If the Phase 2 is down that means that either it can't negotiate (mismatch settings, perhaps) which would show in the IPsec log, or that no traffic attempted to use the tunnel for that.
On the side where the traffic originates, make sure the traffic isn't hitting a firewall rule on the LAN or other internal interface which has a gateway set.
After disabling and enabling the phase 2 on one end, the tunnel came up.
It was not possible to ping through the tunnel but it looks like the routing works.
I then checked the ipsec firewall roules but they were ok (IPv4 * * * * * * none). I also added such rules on the lan interface on both ends.
Still, the ip is not pingable.
After adding an outbound NAT rule and switching to hybrid mode, I can finally reach through the tunnel.
Adding a third phase 2 shows the red arrow again on this phase 2. Re-enabling it does not help, even after a few times.
The ipsec log shows the phase 2 as if it was connected:
charon: 10[CFG] received stroke: add connection 'con1002' Jul 7 22:29:48 charon: 10[CFG] added child to existing configuration 'con1000' Jul 7 22:29:48 charon: 07[CFG] received stroke: route 'con1002' Jul 7 22:29:48 ipsec_starter: 'con1002' routed
But the red arrow on the status page stays and the tunnel is not connected in fact.