Comment 8 for bug 1727578

Hi, YAMAMOTO. I answer below:

* what's 10.0.0.33?
10.0.0.33 is the VM nic IP address. This VM is in the 10.0.0.0/24 subnet, and it got a IP from this subnet.

* in your diagram, you mean 10.20.0.0/24 is behind the vpn peer?
10.20.0.0/24 Yeah, it locates on the internal company network env, this is the destination which the vm wants to access the internal subnet through vpn.

* how the router 10.0.0.3 reaches to its vpn peer?
We could do it like the general VPN does. Setup vpn services(openswan/strongswan) through the gwport(qg-XXX) to encapsulate traffic for let both site reachable.

* in your approach #1, which router interface are you talking about? 10.0.0.3?
Yes, if users not allow that we inject the routing in the vm, we can do it in the default router which 10.0.0.1 locates on. Then we can add another route like "10.20.0.0/24 via 10.0.0.3" to forward the traffic which want to access the vpn site to the other router which running vpn services(the Router which 10.0.0.3 locates on).

* in your approach #2, you mean qg-XXX of the router 10.0.0.3? from the diagram it isn't clear to me how the gateway port is set up.
No, they are different, the diagram just show the #1. Sorry for confused you. #2 described how to change the default behavior of router. There is only 1 router(which is the 10.0.0.1 locates on) in this case. The proposal is willing to add some "tc" rules in the router namespace.

Thanks