Hi David, - have you enabled IP forwarding on gateway moon?
echo "1" > /proc/sys/net/ipv4/ip_forward Regards Andreas weiping deng wrote: > Hi Martin and Andreas, Hi all, > > > > The test scenario is listed as followed: > > > > Alice (IP: 172.19.2.190 > > Secondary IP: 192.168.253.68) <--------------------------->moon (as > gateway, IP: 172.19.2.118 > > > Secondary IP: 192.168.253.98) <============> carol (IP: 172.19.2.86 > > > Virtual IP: 192.168.253.89) > > > > As above, I have established the ipsec tunnel between moon and carol, now I > can ping moon from carol with "ping 192.168.253.98" and I also can ping > Alice from moon with "ping 192.168.253.68". > > But I can not ping Alice from carol with "ping 192.168.253.68". Please > tell me what problem occurred, thanks. > > > > The following is the configuration of moon and carol: > > ++++++++++++++Moon: > > config setup > > strictcrlpolicy=no > > plutostart=no > > > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=%forever > > keyexchange=ikev2 > > > > conn rw-eapaka > > left=172.19.2.118 > > leftsubnet=192.168.253.0/24 > > leftid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, > CN=MOON, E= @moon.strongswan.org" > > leftcert=/etc/ipsec.d/certs/moonCert.pem > > leftauth=pubkey > > leftfirewall=yes > > lefthostaccess=yes > > right=%any > > rightid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, > CN=CAROL, e=ca...@strongswan.org" > > rightsendcert=never > > rightsourceip=192.168.253.89 > > rightauth=eap-aka > > auto=start > > > > ++++++++++carol: > > config setup > > strictcrlpolicy=no > > plutostart=no > > keep_alive=20m > > conn %default > > ike=aes-sha1-modp1024! > > esp=aes-sha1! > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=%forever > > keyexchange=ikev2 > > dpdaction=clear > > dpdtimeout=5m > > dpddelay=10 > > conn FAP1000 > > left=172.19.2.86 > > leftsourceip=%config > > leftcert=/etc/ipsec.d/certs/carolCert.pem > > leftauth=eap > > right=172.19.2.118 > > rightsubnet=0.0.0.0/0 > > rightcert=/etc/ipsec.d/certs/moonCert.pem > > rightauth=pubkey > > leftid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, > CN=CAROL, e=ca...@strongswan.org" > > rightid="C=CN, ST=BEIJING, L=BEIJING, O=PICOCHIP, OU=SECURITY, > CN=MOON, e...@moon.strongswan.org" > > auto=add > > > > > > Best Regards, > > David ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users