Can you ping from that machine using its internal IP and see if ESPout increases ?
Sent using a virtual keyboard on a phone > On Nov 19, 2022, at 13:14, Kumar P S Udai <[email protected]> wrote: > > > Hi Paul > I tried the above step and a few other possibilities too, but there is no > change in result > > 000 #8: "PLSUBNET":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); > EVENT_SA_REKEY in 26251s; newest ISAKMP; idle; > 000 #9: "PLSUBNET":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); > EVENT_SA_REKEY in 26637s; newest IPSEC; eroute owner; isakmp#8; idle; > 000 #9: "PLSUBNET" [email protected] [email protected] > [email protected] [email protected] Traffic: ESPin=5KB ESPout=0B! ESPmax=0B > > I use nftables on the machine and I added the equivalent command, but to no > avail. Also for an experiment's sake, I disabled the NAT function on that > machine and kept only the filter ruleset, but even that did not change > anything. > > Thanks, best regards > > Udai > >> On Fri, 18 Nov 2022 at 21:37, Paul Wouters <[email protected]> wrote: >> On Fri, 18 Nov 2022, Kumar P S Udai wrote: >> >> > One is at the HO establishing connection to three other branch offices, >> > while all three are >> > getting connected, at one branch office the public IP is not configured on >> > the machine directly, >> > but on an external vendor's router. Initially I had trouble establishing >> > connection to this unit, >> > but after a lot of reading and config change, the connection is getting >> > established now, but I >> > cannot ping or reach each other. Attaching the config details FYI please. >> > Would appreciate any >> > help from the community. >> >> > ON MACHINE PLUTO >> >> > 000 #45: "PLSUBNET" [email protected] [email protected] >> > [email protected] >> > [email protected] Traffic: ESPin=1KB ESPout=0B! ESPmax=0B >> >> Note traffic coming in, but no traffic going out. >> >> > ON MACHINE EUROPA >> >> > 000 #6276: "PLUTOSUBNET" [email protected] [email protected] >> > [email protected] [email protected] >> > Traffic: ESPin=0B ESPout=1KB! ESPmax=0B >> > 000 >> >> traffic going out, but no traffic coming in. >> >> I suspect that on machine PLUTO, there is a NAT rule that ends up NATing >> the traffic before it gets to be IPsec'ed >> >> On PLUTO try: >> >> iptables -I FORWARD -t nat -s 192.168.14.0/24 -d 192.168.1.0/24 -j RETURN >> >> Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
