On Wed, 2018-07-25 at 18:33 -0600, James Lay wrote: > On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote: > > On 2018-07-24 06:51, Tobias Brunner wrote:Hi James, > > So I moved to Strongswan 5.6.2 during a distribution upgrade. > > What distribution? What was the previous version? Do you still > > havethe same plugins installed and enabled? > > My simplesetup no longer routes back to the client (I can see the > > incoming pingson the server, but nothing goes back). I establish a > > tunnel fine...mysetup looks like this: > > > > external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet > > all I need is to have a connected device able to > > access192.168.1.1...and it's only a single user. > > Please read [1]. From the involved IPs I guess you used the farp > > pluginbefore, so make sure you still have that installed and > > loaded. > > Regards,Tobias > > [1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingA > > ndSplitTunneling > > Thanks Tobias...I have access to the old server so I'll see what's > > there...I don't recall installing any other plugins, but we shall > > see. I'll report my findings soon..thanks again. > > James > > So now I'm super confused. I changed to the below: > > conn rw > leftsubnet=192.168.1.0/24 > leftcert=StrongSwanHostCert.pem > right=%any > rightsourceip=172.16.0.1 > auto=add > > > > and added the below top 2 postrouting nat rules: > pkts bytes target prot opt > in out source destination > 0 0 ACCEPT all > -- * * 0.0.0.0/0 0.0.0.0/0 policy > match dir out pol ipsec > 0 0 MASQUERADE all > -- * enp0s31f6 172.16.0.1 0.0.0.0/0 > 24519 1646K MASQUERADE all > -- * ppp0 192.168.1.0/24 0.0.0.0/0 > > > However when I attempt to ping, I see the ping on the ppp0 interface, > and the source isn't 172.16.0.1: > 2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100 > Echo (ping) request id=0x0004, seq=1/256, ttl=64 > > > Not exactly sure where to go next. I did install the extra plugins > that include farp as well. Thank you. > > James
Anything on this? in testing I made this change: rightsourceip=10.10.10.0/24 Pinging from the client connected device gets me this: 1 2018-07-29 07:50:27.606525877 8.0.10.1 → 192.168.1.1 ICMP 100 Echo (ping) request id=0x000f, seq=1/256, ttl=64 Something seems very broken. Thank you. James
