Re: [strongSwan] Net2net and ip policy

[Makai Zsolt]

Hi,
 
Sorry, I found it! It is working...
 
An iptables command was left, which is prohibited!
 
Thank you!
Zsolt

        -----Original Message-----
        From: users-bounces+makai.zsolt=etv...@lists.strongswan.org
[mailto:users-bounces+makai.zsolt=etv...@lists.strongswan.org] On Behalf
Of Makai Zsolt
        Sent: Thursday, June 03, 2010 1:12 PM
        To: users@lists.strongswan.org
        Subject: [strongSwan] Net2net and ip policy
        
        

        Hi, 

        Please, help me! I have got two strongswan servers and the
connection is ok. I must put a router between "left" and "leftsubnet":

        Before:
192.168.100.0/22===x.x.x.186---x.x.x.230===192.168.11.0/24 
        Now: 192.168.100.0/22==={router
192.168.100.254-x.x.x.185}===x.x.x.186---x.x.x.230===192.168.11.0/24 

        Ipsec.conf: 
        config setup 
         plutodebug=control 
         charonstart=no 

        conn %default 
                left=%defaultroute 
                leftsubnet=192.168.100.0/22 

        conn paks 
                right=x.x.x.230 
                rightsubnet=192.168.11.0/24 
                authby=secret 
                auth=esp 
                auto=add 

        Ip xfrm policy: 
        src 192.168.100.0/22 dst 192.168.11.0/24 
                dir out priority 2408 ptype main 
                tmpl src x.x.x.186 dst x.x.x.230 
                        proto esp reqid 16385 mode tunnel 
        src 192.168.11.0/24 dst 192.168.100.0/22 
                dir fwd priority 2408 ptype main 
                tmpl src x.x.x.230 dst x.x.x.186 
                        proto esp reqid 16385 mode tunnel 
        src 192.168.11.0/24 dst 192.168.100.0/22 
                dir in priority 2408 ptype main 
                tmpl src x.x.x.230 dst x.x.x.186 
                        proto esp reqid 16385 mode tunnel 

        Route: 
        192.168.100.0   x.x.x.185 255.255.252.0   UG    0      0
0 eth1 
        0.0.0.0         x.x.x.180 0.0.0.0         UG    0      0
0 eth1 

        The vpn tunnel has been established, of course, but the ping
from 192.168.100.2 to 192.168.11.3 has been failed. 
        Tcpdump: 
        12:45:51.760782 IP 192.168.100.2 > 192.168.11.3: ICMP echo
request, id 512, seq 15360, length 40 
        12:45:51.760931 IP x.x.x.186.euroweb.hu > 192.168.100.2: ICMP
host 192.168.11.3 unreachable - admin prohibited, length 68

        The ipsec.conf i did not change. I removed the direct network
connection to 192.168.100.0/22 from the "left" server and i rewrote it
the routing table. What it is necessary to do yet, that allowing let the
route be? 

        Thank you, 
        Zsolt 


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users