Hello Andreas, I've added the rules
iptables -t filter -A INPUT -d <public IP> -p esp -m comment --comment "ACCEPT IPSec ESP" -j ACCEPT iptables -t filter -A INPUT -d <public IP> -p udp -m udp --dport 500 -m comment --comment "ACCEPT IPSec IKE" -j ACCEPT iptables -t filter -A INPUT -d <public IP> -p udp -m udp --dport 4500 -m comment --comment "ACCEPT IPSec NAT-T" -j ACCEPT and StrongSWAN added the rules Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 192.168.177.0/24 192.168.176.0/24 policy match dir in pol ipsec reqid 16385 proto esp ACCEPT all -- 192.168.176.0/24 192.168.177.0/24 policy match dir out pol ipsec reqid 16385 proto esp The IPSec association is created (even Fritzbox shows a active IPSec connection), but no data passes between the subnets. Do I use the right IPTables chains? Do I need port 4500 (NAT-T is disabled on Fritzbox and StrongSWAN box)? Regards, Renne On Sat, 12 Feb 2011 20:20:46 +0100, Andreas Steffen <[email protected]> wrote: > Hello Rene, > > you must open UDP port 500 for IKE and UDP port 4500 if you have > a NAT situation. In order to pass encrypted IPsec packets you > must open IP protocol 50 (ESP). > > Regards > > Andreas _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
