README.md

@@ -93,6 +93,13 @@ ping 10.1.1.11
 # ✅ Tests project-project routing via SNA transfer network
 ```
 
+### 💻 From appliance02 (on-prem) to machine02 (cloud internal)
+
+```bash
+ping 10.1.2.11
+# ✅ Tests project-project routing via SNA transfer network
+```
+
 ### ❌ From machine01 (cloud) to appliance02 (VPN-disconnected)
 
 If you remove the static route that directs 192.168.1.0/24 through appliance01:

cloud-init.yaml

@@ -40,18 +40,5 @@ runcmd:
   - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
   - sysctl -p
 
-  # Set up iptables rules
-  # - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT
-  # - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT
-  # - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE
-
-  # Accept IPsec traffic
-  # - iptables -A INPUT -p udp --dport 500 -j ACCEPT
-  # - iptables -A INPUT -p udp --dport 4500 -j ACCEPT
-  # - iptables -A INPUT -p esp -j ACCEPT
-  # - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT
-  # - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT
-
-  # Enable and start strongSwan
-  # - systemctl enable strongswan-starter
-  # - systemctl start strongswan-starter
+  - ipsec start
+  - ipsec up net-net