Yes 😀 Sent using a virtual keyboard on a phone
> On Nov 18, 2022, at 11:58, Nick Howitt <n...@howitts.co.uk> wrote: > >  > >> On 18/11/2022 16:07, Paul Wouters wrote: >>> On Fri, 18 Nov 2022, Kumar P S Udai wrote: >>> One is at the HO establishing connection to three other branch offices, >>> while all three are >>> getting connected, at one branch office the public IP is not configured on >>> the machine directly, >>> but on an external vendor's router. Initially I had trouble establishing >>> connection to this unit, >>> but after a lot of reading and config change, the connection is getting >>> established now, but I >>> cannot ping or reach each other. Attaching the config details FYI please. >>> Would appreciate any >>> help from the community. >>> ON MACHINE PLUTO >>> 000 #45: "PLSUBNET" esp.716c376b@9.8.7.6 esp.fdc71b0a@10.10.128.100 >>> tun.0@9.8.7.6 >>> tun.0@10.10.128.100 Traffic: ESPin=1KB ESPout=0B! ESPmax=0B >> Note traffic coming in, but no traffic going out. >>> ON MACHINE EUROPA >>> 000 #6276: "PLUTOSUBNET" esp.fdc71b0a@1.2.3.4 esp.716c376b@9.8.7.6 >>> tun.0@1.2.3.4 tun.0@9.8.7.6 >>> Traffic: ESPin=0B ESPout=1KB! ESPmax=0B >>> 000 >> traffic going out, but no traffic coming in. >> I suspect that on machine PLUTO, there is a NAT rule that ends up NATing >> the traffic before it gets to be IPsec'ed >> On PLUTO try: >> iptables -I FORWARD -t nat -s 192.168.14.0/24 -d 192.168.1.0/24 -j RETURN > Don't you want the POSTROUTING rule from > https://libreswan.org/wiki/FAQ#NAT_.2B_IPsec_is_not_working? I don't believe > there is a FORWARD chain in the nat table. > > If you want a FORWARD rule as well, you can use the generic: > iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT > > Then you don't have to bother about subnets. > > Nick > _______________________________________________ > Swan mailing list > Swan@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan