The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped automatically by the mailing list software.
--- Begin Message ---On 27/11/2020 19:14, Philip Prindeville wrote: > Hi, > > I’m working on a PR to add X.509 certificates to Strongswan for > authentication and that all seems to be working fine: > > https://urldefense.com/v3/__https://github.com/openwrt/packages/pull/14028__;!!I9LPvj3b!XqJgJCi-P06au0EVChYdDT9yDGqBhoAn-1RAaa7TwM8adhFUNLSF3m_tjUIDs_smTQ$ > > > > But I can’t figure out why my traffic isn’t being passed, even though the > tunnel comes up: > > *snipped* Hi See https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling Also: https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg xfrm lookup happens after the first round of postrouting NAT, thus you need something to accept the frames before they are NATed. This should be taken care of by your config zone option name vpn option input ACCEPT option output ACCEPT option forward ACCEPT option subnet '192.168.1.0/24' option extra_src '-m policy --dir in --pol ipsec --proto esp' option extra_dest '-m policy --dir out --pol ipsec --proto esp' option mtu_fix 1 Can you show the output of iptable -t nat -nvL Another thing i could think of, is that your routing table entries are missing. Usually strongswan would take care to set this up, but if you have charon.install_routes = no that would mean you have to manually take care to set the routes up. What does your ip rule and ip route show table 220 show? Table 220 is the "default" for ipsec, but may be another value depending on configuration. BR Matthias
--- End Message ---
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
