Hi Paul Thanks for your answer. But sadly, this did not help.
$ ip route default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 xx.yyy.zzz.vv dev vti0 scope link 169.254.0.0/16 dev enp0s12u2 scope link metric 1000 192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91 metric 100 $ route Kernel-IP-Routentabelle Ziel Router Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 100 0 0 enp0s12u2 xxxxxxxx.dip0. 0.0.0.0 255.255.255.255 UH 0 0 0 vti0 link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s12u2 192.168.42.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s12u2 192.168.42.x is the clients network xx.yyy.zzz.vv is internet-ip of remote network behind some domain 192.168.92.x is the remote network I want to access Whats wrong with my config? Best regards Johannes Am Do., 4. Okt. 2018 um 16:50 Uhr schrieb Paul Wouters <[email protected]>: > On Thu, 4 Oct 2018, Johannes C. Schulz wrote: > > > Hello LibreSwan community!It was a long way to get my libreswan > connecting to a vpn-server (which is actually a dsl-router from bintec). > The server accepts IPsec IKEv1 > > connection with PSK. I can connect, but there is no traffic through the > tunnel. > > The problem must be on roadwarriors-side, because I can connect and > transfer data through the tunnel if I connect with a windows machine to the > vpn-server (using > > ShrewSoft). > > > > I wrote this config: > > > > config setup > > protostack = netkey > > > > conn Office1 > > authby = secret > > right = some.domain.tld > > rightid = @Office_admin > > rightnexthop = %defaultroute > > left = 192.168.42.91 > > leftsubnet = 192.168.92.0/24 > > leftvti = 192.168.92.234/24 > > leftid = @Office > > keyexchange = ike > > ike = aes256-sha2;modp2048 > > esp = aes256-sha2;modp2048 > > ikelifetime = 4h > > keylife = 8h > > auto = add > > aggrmode = yes > > vti-interface = vti0 > > vti-routing = yes > > mark = 5/0xffffffff > > Try adding sha2_truncbug=yes and see if that fixes your issue. The > router might be doing "broken linux compatibility" mode by default. > > > netstat -r -n > > Kernel-IP-Routentabelle > > Ziel Router Genmask Flags MSS Fenster irtt > Iface > > 0.0.0.0 192.168.42.129 0.0.0.0 UG 0 0 0 > enp0s12u2 > > xx.yyy.zzz.vv 0.0.0.0 255.255.255.255 UH 0 0 0 > vti0 > > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > enp0s12u2 > > 192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0 > enp0s12u2 > > 192.168.92.0 0.0.0.0 255.255.255.0 U 0 0 0 > vti0 > > What does "ip route" say. It is important to see if you got the proper > route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's > IP ? > > > ping 192.168.92.10 > > PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data. > > From 192.168.92.234 icmp_seq=1 Destination Host Unreachable > > Is this in the remote end? because you defined that to be on your end? > > Paul > -- Viele Grüße Johannes C. Schulz „*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza into software“*
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
