Hi there,
I'm experimenting with Strongswan and have hit a problem.
I have a setup working using IKEv2, x509 certs, and virtual IP pool.
However internet traffic is being routed back out the VPN gateway external
interface. I'd like to route the traffic out of a dedicated proxy server
instead.
to troubleshoot the
configuration.
Could you prompt any solution?
Regards,
Serge
- Original Message -
From: s s
Sent: 12/08/13 10:19 PM
To: andreas.stef...@strongswan.org
Subject: strongswan-5.1.1 build
Hello Andreas,
I was trying to build strongswan-5.1.1 rpm package on Centos 5.3
of the ideas what could be done and how to troubleshoot the
configuration.
Could you prompt any solution?
Regards,
Serge
- Original Message -
From: s s
Sent: 12/08/13 10:19 PM
To: andreas.stef...@strongswan.org
Subject: strongswan-5.1.1 build
Hello Andreas,
I was trying to build
?
Regards,
Serge
- Original Message -
From: s s
Sent: 12/08/13 10:19 PM
To: andreas.stef...@strongswan.org
Subject: strongswan-5.1.1 build
Hello Andreas,
I was trying to build strongswan-5.1.1 rpm package on Centos 5.3 distribution.
I am stuck with the Make error
make
Hi,
But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.
Does that tunnel work if you don't establish the other one?
No, it doesn't.
Besides, once the 192.168.3.0/24 host is behind the NAT'ed gateway, neither of
the tunnels work.
Also, I'd try to disable IPComp for
Message -
From: Noel Kuntze
Sent: 12/29/13 11:25 PM
To: s s, users@lists.strongswan.org
Subject: Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello,
What is the configuration of the other side and what is in the log
with the NAT router.
you should try to fix the router.
There is no possibility to do that.
Looking forward to your thoughts and wish you a Happy New Year!
Regards,
Serge
- Original Message -
From: Volker Rümelin
Sent: 12/31/13 12:03 AM
To: s s, users@lists.strongswan.org
Subject: Re
owner
000 #2: karmaIKE2 esp.c51580dd@192.168.4.10 (756 bytes, 7s ago)
esp.7789acc8@10.0.2.15 (0 bytes); tunnel
000 #1: karmaIKE2 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
9416s; newest ISAKMP
- Original Message -
From: Noel Kuntze
Sent: 01/05/14 10:55 PM
To: s s
Hello Volker,
Thanks for your attention to the current pb.
sorry, but I doubt this solved your fragmentation problem. To be sure I
suggest you once again initiate a ikev2 connection and capture the
packets with tcpdump on both sides at the same time. Something like
I attach the complete log
restricts the packet size either as the network
connection is over the local ethernet (for the testbed configuration and
troubleshooting).
Regards,
Serge
- Original Message -
From: Volker Rümelin
Sent: 01/08/14 02:22 AM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel
supports fragmentation for IKEv1.
Why IKEv1 only supports fragmentation and not IKEv2?
Thanks again,
Serge
- Original Message -
From: Volker Rümelin
Sent: 01/08/14 02:22 AM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb
Hello Serge,
tcpdump shows you
/11/14 05:26 PM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb
Hello Serge,
Hello Volker,
My yesterday's conclusions regarding the networks MTU shortcomings were
probably wrong.
right, both your hosts work just fine.
I've looked into the MTU's issues
Hello Volker,
We have an ongoing routing problem since the attempt to migrate from
strongswan-4.x.x to strongswan-5.1.x
The current networ segments infrastructure is as follows:
192.168.169.0 / 24 (frqx)
|| ||
|| ||
||
Hello Volker,
We have an ongoing routing problem since the attempt to migrate from
strongswan-4.x.x to strongswan-5.1.x
The current networ segments infrastructure is as follows:
192.168.169.0 / 24 (frqx)
|| ||
|| ||
||
/strongswan.conf
charon {
# ...
dns1 = 192.168.0.100
nbns1 = 192.168.0.100
}
Is anything else necessary to be checked or enabled?
Thanks again,
Serge
- Original Message -
From: Volker Rümelin
Sent: 01/19/14 06:20 PM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.x, tunnel
/strongswan.conf
charon {
# ...
dns1 = 192.168.0.100
nbns1 = 192.168.0.100
}
Is anything else necessary to be checked or enabled?
Thanks again,
Serge
- Original Message -
From: Volker Rümelin
Sent: 01/19/14 06:20 PM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.x
src 0.0.0.0/0 ?
Rgds,
Serge
- Original Message -
From: Volker Rümelin
Sent: 01/20/14 09:03 PM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.x, NATed routing pb
Hello Serge,
conn academ.certs.locally.stored
leftsubnet=192.168.169.0/24
leftsendcert = never
right=%any
Hello Volker,
I've received the output from the remote host for the xfrm policy
[root@academ ~]# ip xfrm policy
src 192.168.169.0/24 dst 192.168.3.0/24
dir in priority 1859
tmpl src xx.xx.230.112 dst 172.31.253.35
proto esp reqid 1 mode tunnel
src 192.168.169.0/24
: Volker Rümelin
Sent: 01/21/14 10:55 PM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.x, NATed routing pb
Hello Serge,
please look again at the three policies.
[root@frqx ~]# ip xfrm policy
src 192.168.3.0/24 dst 192.168.169.0/24
dir in priority 1859
tmpl src xx.xx.210.3 dst
: Volker Rümelin
Sent: 01/21/14 10:55 PM
To: s s
Subject: Re: [strongSwan] strongswan-5.1.x, NATed routing pb
Hello Serge,
please look again at the three policies.
[root@frqx ~]# ip xfrm policy
src 192.168.3.0/24 dst 192.168.169.0/24
dir in priority 1859
tmpl src xx.xx.210.3 dst
Hello,
We have finally resolved the missing frw policy issue for the
Linux strongSwan U5.1.1/K2.6.18-371.11.1.el5 behind the non-administered
NAT.
Now the site-site tunnel routes transparently to our satisfaction.
In the effort to improve the behind the NAT configuration and decrease
the
21 matches
Mail list logo