On 18/11/2022 16:07, Paul Wouters wrote:
On Fri, 18 Nov 2022, Kumar P S Udai wrote:
One is at the HO establishing connection to three other branch
offices, while all three are
getting connected, at one branch office the public IP is not
configured on the machine directly,
but on an external vendor's router. Initially I had trouble
establishing connection to this unit,
but after a lot of reading and config change, the connection is
getting established now, but I
cannot ping or reach each other. Attaching the config details FYI
please. Would appreciate any
help from the community.
ON MACHINE PLUTO
000 #45: "PLSUBNET" [email protected] [email protected]
[email protected]
[email protected] Traffic: ESPin=1KB ESPout=0B! ESPmax=0B
Note traffic coming in, but no traffic going out.
ON MACHINE EUROPA
000 #6276: "PLUTOSUBNET" [email protected] [email protected]
[email protected] [email protected]
Traffic: ESPin=0B ESPout=1KB! ESPmax=0B
000
traffic going out, but no traffic coming in.
I suspect that on machine PLUTO, there is a NAT rule that ends up NATing
the traffic before it gets to be IPsec'ed
On PLUTO try:
iptables -I FORWARD -t nat -s 192.168.14.0/24 -d 192.168.1.0/24 -j RETURN
Don't you want the POSTROUTING rule from
https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working? I don't
believe there is a FORWARD chain in the nat table.
If you want a FORWARD rule as well, you can use the generic:
iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT
Then you don't have to bother about subnets.
Nick
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
