On 02/12/2011 08:58 PM, Rene Bartsch wrote: > Hello Andreas, > > I've added the rules > > iptables -t filter -A INPUT -d<public IP> -p esp -m > comment --comment "ACCEPT IPSec ESP" -j ACCEPT > iptables -t filter -A INPUT -d<public IP> -p udp -m udp --dport 500 -m > comment --comment "ACCEPT IPSec IKE" -j ACCEPT > iptables -t filter -A INPUT -d<public IP> -p udp -m udp --dport 4500 -m > comment --comment "ACCEPT IPSec NAT-T" -j ACCEPT > You also need corresponding OUTPUT rules
> > and StrongSWAN added the rules > > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all -- 192.168.177.0/24 192.168.176.0/24 policy match > dir in pol ipsec reqid 16385 proto esp > ACCEPT all -- 192.168.176.0/24 192.168.177.0/24 policy match > dir out pol ipsec reqid 16385 proto esp > These rules are inserted automatically by the _updown script. Make sure that IP forwarding is enabled (echo "1" > /proc/sys/net/ipv4/ip_forward). > > The IPSec association is created (even Fritzbox shows a active IPSec > connection), but no data passes between the subnets. > > Do I use the right IPTables chains? Do I need port 4500 (NAT-T is disabled > on Fritzbox and StrongSWAN box)? > If there is no NAT situation then you won't need port 4500. > > Regards, > > Renne > Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
