Hi, That worked, thanks a bunch Nick!
Next up: the cisco w. sourcenat, rgds, Frank. > On 10 May 2016, at 20:30, Nick Howitt <[email protected]> wrote: > > Try: > iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT > Nick > > > On 10/05/2016 19:25, Frank wrote: >> Hi, >> >> The ping still gives the same: >> ping -I 192.168.1.2 192.168.211.2 >> PING 192.168.211.2 (192.168.211.2) from 192.168.1.2 : 56(84) bytes of data. >> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable >> From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable >> From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable >> From xxx.xxx.39.68 icmp_seq=4 Destination Host Unreachable >> >> >> iptables rules (simplified for now): >> >> iptables -L -n -v >> Chain INPUT (policy ACCEPT 84987 packets, 4996K bytes) >> pkts bytes target prot opt in out source >> destination >> 62 2988 DROP tcp -- eth4 * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:22 >> 0 0 DROP tcp -- eth4 * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:2200 >> >> Chain FORWARD (policy ACCEPT 576K packets, 34M bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 2331K 270M ACCEPT all -- eth1 eth2 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 2044K 127M ACCEPT all -- eth2 eth1 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 154 12936 ACCEPT all -- eth4 eth1 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 0 0 ACCEPT all -- eth4 eth2 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 720 60480 ACCEPT all -- eth1 eth4 0.0.0.0/0 0.0.0.0/0 >> 247 12844 ACCEPT all -- eth2 eth4 0.0.0.0/0 0.0.0.0/0 >> >> Chain OUTPUT (policy ACCEPT 143K packets, 8682K bytes) >> pkts bytes target prot opt in out source >> destination >> >> >> iptables -t nat -L -n -v >> Chain PREROUTING (policy ACCEPT 576K packets, 35M bytes) >> pkts bytes target prot opt in out source >> destination >> >> Chain INPUT (policy ACCEPT 1744 packets, 310K bytes) >> pkts bytes target prot opt in out source >> destination >> >> Chain OUTPUT (policy ACCEPT 44171 packets, 2325K bytes) >> pkts bytes target prot opt in out source >> destination >> >> Chain POSTROUTING (policy ACCEPT 616K packets, 37M bytes) >> pkts bytes target prot opt in out source >> destination >> 54 3843 MASQUERADE all -- * eth0 0.0.0.0/0 >> 0.0.0.0/0 >> 690 56556 MASQUERADE all -- * eth4 0.0.0.0/0 >> 0.0.0.0/0 >> >> >> arp -an: >> ? (zzz.zzz.13.34) at <incomplete> on eth4 >> ? (192.168.211.12) at <incomplete> on eth4 >> ? (192.168.2.12) at 02:00:6b:17:00:01 [ether] on eth2 >> ? (192.168.211.2) at <incomplete> on eth4 >> ? (192.168.1.12) at 02:00:0b:60:00:01 [ether] on eth1 >> ? (xxx.xxx.39.78) at 00:00:5e:00:01:37 [ether] on eth4 >> ? (xxx.xxx.39.76) at 00:1d:b5:2f:19:9f [ether] on eth4 >> >> tcpdump -v -n -i eth4 not port 22 | grep -v VRRP : >> tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 65535 >> bytes >> 20:17:05.232826 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has >> xxx.xxx.39.74 tell xxx.xxx.39.76, length 46 >> 20:17:05.925432 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has >> xxx.xxx.39.74 tell xxx.xxx.39.76, length 46 >> 20:17:06.204021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has >> 192.168.211.2 tell xxx.xxx.39.68, length 28 >> 20:17:06.825248 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has >> xxx.xxx.39.74 tell xxx.xxx.39.76, length 46 >> 20:17:07.204218 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has >> 192.168.211.2 tell xxx.xxx.39.68, length 28 >> >> >> Rgds, >> >> Frank. >> >> >> >>> On 10 May 2016, at 17:45, Paul Wouters <[email protected]> >>> <mailto:[email protected]> wrote: >>> >>> On Tue, 10 May 2016, Frank wrote: >>> >>>> I’m trying to setup an ipsec connection from a recent centos7 box to a >>>> pfSense with strongSwan (charon), as a test before connecting to a remote >>>> ciscoASA. >>>> SA's seem up. >>>> >>>> I can't get traffic to the other side (host on 192.168.211.2 or .12): >>>> >>>> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24 >>>> ping 192.168.211.2 >>>> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data. >>>> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable >>> Oddly this used your public ip as source, instead of the one you >>> specified with leftsourceip=192.168.1.2 >>> >>> does ping -I 192.168.1.2 192.168.211.2 work? >>> >>>> ip route: >>>> default via xxx.xxx.39.78 dev eth4 >>>> 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 >>>> 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2 >>>> 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.2 >>>> 192.168.211.0/24 dev eth4 scope link src 192.168.1.2 >>> It's there, so why is ping using the wrong source ip? >>> >>> Paul >> _______________________________________________ >> Swan mailing list >> [email protected] <mailto:[email protected]> >> https://lists.libreswan.org/mailman/listinfo/swan >> <https://lists.libreswan.org/mailman/listinfo/swan> >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
