On Sun, 13 Feb 2011 10:55:07 -0800, Daniel Mentz
<[email protected]> wrote:
> On 02/13/2011 08:49 AM, Rene Bartsch wrote:
>> After removing "leftfirewall=yes" from ipsec.conf and adding the
incoming
>> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually,
>> it
>> seems to work.
>
> That's strange. Can you save the output of "iptables-save" in both cases
> and run a diff against both files to see what's the difference?
>
I've attached the output of "ip -4 a", iptables-save of working and
non-working setup and a diff.
xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS server
xxx.xxx.xxx.102: eth0:0 secondary public IP of Ubuntu 10.04.2 LTS server
(IPSec connection)
192.168.176.1: dummy0 Test for virtual servers
eth0: 1000Base-T internet-uplink
eth1: unused
Fritzbox config (default: aggressive mode and NAT-T enabled):
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "xxx.xxx.xxx.102";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = xxx.xxx.xxx.102;
remote_virtualip = 0.0.0.0;
localid {
fqdn = "xxx.dnsalias.net";
}
remoteid {
ipaddr = xxx.xxx.xxx.102;
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "xxxxxxxxxxxxxxxxxxxx";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.177.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.176.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.176.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
Best regards,
Renne
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc prio state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP qlen
1000
inet xxx.xxx.xxx.20/24 brd xxx.xxx.xxx.255 scope global eth0
inet xxx.xxx.xxx.102/24 brd xxx.xxx.xxx.255 scope global secondary eth0:0
4: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc prio state UNKNOWN
inet 192.168.176.1/24 brd 192.168.176.255 scope global dummy0
xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS server
xxx.xxx.xxx.102: eth0 secondary public IP of Ubuntu 10.04.2 LTS server (IPSec connection)
192.168.176.1: dummy0 Test for virtual servers
eth0: 1000Base-T internet-uplink
eth1: unused
# Generated by iptables-save v1.4.4 on Sun Feb 13 20:53:08 2011
*mangle
:PREROUTING ACCEPT [1033337:88572817]
:INPUT ACCEPT [1030464:88159548]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1088515:1531960932]
:POSTROUTING ACCEPT [1088515:1531960932]
-A POSTROUTING -o lo -p icmp -m comment --comment "Traffic-shaping Interface: lo Type: ICMP" -j CLASSIFY --set-class 0001:0001
-A POSTROUTING -o lo -p tcp -m comment --comment "Traffic-shaping Interface: lo Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0001:0003
-A POSTROUTING -o lo -m comment --comment "Traffic-shaping Interface: lo Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0001:0004
-A POSTROUTING -o eth0 -p icmp -m comment --comment "Traffic-shaping Interface: eth0 Type: ICMP" -j CLASSIFY --set-class 0002:0001
-A POSTROUTING -o eth0 -p tcp -m comment --comment "Traffic-shaping Interface: eth0 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0002:0003
-A POSTROUTING -o eth0 -m comment --comment "Traffic-shaping Interface: eth0 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0002:0004
-A POSTROUTING -o eth1 -p icmp -m comment --comment "Traffic-shaping Interface: eth1 Type: ICMP" -j CLASSIFY --set-class 0003:0001
-A POSTROUTING -o eth1 -p tcp -m comment --comment "Traffic-shaping Interface: eth1 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0003:0003
-A POSTROUTING -o eth1 -m comment --comment "Traffic-shaping Interface: eth1 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0003:0004
-A POSTROUTING -o dummy0 -p icmp -m comment --comment "Traffic-shaping Interface: dummy0 Type: ICMP" -j CLASSIFY --set-class 0004:0001
-A POSTROUTING -o dummy0 -p tcp -m comment --comment "Traffic-shaping Interface: dummy0 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0004:0003
-A POSTROUTING -o dummy0 -m comment --comment "Traffic-shaping Interface: dummy0 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0004:0004
COMMIT
# Completed on Sun Feb 13 20:53:08 2011
# Generated by iptables-save v1.4.4 on Sun Feb 13 20:53:08 2011
*filter
:INPUT DROP [960:109842]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1088513:1531960805]
-A INPUT -i lo -m comment --comment "ACCEPT loopback device" -j ACCEPT
-A INPUT -i dummy0 -m comment --comment "ACCEPT dummy0 device" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "ACCEPT existing connections" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -m comment --comment "ACCEPT ICMP echo-reply" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "ACCEPT ICMP echo-request" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -m comment --comment "ACCEPT ICMP time-exceeded" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -m comment --comment "ACCEPT ICMP source-quench" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/3 -m comment --comment "ACCEPT ICMP port-unreachable" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -m comment --comment "ACCEPT ICMP parameter-problem" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -m comment --comment "ACCEPT ICMP fragmentation-needed" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -m comment --comment "ACCEPT ICMP destination-unreachable" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -p esp -m comment --comment "ACCEPT IPSec ESP" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -m policy --dir in --pol ipsec -m comment --comment "ACCEPT IPSec secured packets" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -p udp -m udp --dport 500 -m comment --comment "ACCEPT IPSec IKE" -j ACCEPT
-A INPUT -s 192.168.177.0/24 -d 192.168.176.0/24 -m policy --dir in --pol ipsec --reqid 16385 --proto esp -m comment --comment "ACCEPT IPSec secured packets" -j ACCEPT
-A INPUT -m state --state NEW -m recent --set --name DEFAULT --rsource -m comment --comment "Store connection requests"
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 240 --hitcount 10 --name DEFAULT --rsource -m comment --comment "DROP SSH Brute-Force-Attacks" -j DROP
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "ACCEPT SSH connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 21 -m state --state NEW -m comment --comment "ACCEPT FTP connections" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m comment --comment "ACCEPT SMTP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p udp -m udp --dport 53 -m state --state NEW -m comment --comment "ACCEPT DNS UDP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 53 -m state --state NEW -m comment --comment "ACCEPT DNS TCP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "ACCEPT HTTP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 443 -m state --state NEW -m comment --comment "ACCEPT HTTPS connections" -j ACCEPT
COMMIT
# Completed on Sun Feb 13 20:53:08 2011
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
#plutodebug=all
plutodebug="control"
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=no
charonstart=yes
plutostart=yes
# Add connections here.
# Sample VPN connections
conn frankfurt-giessen
left=xxx.xxx.xxx.102
leftsubnet=192.168.176.0/24
#leftfirewall=yes
#
ike=aes128-sha-modp1024
esp=aes128-sha1
#
right=xxx.dnsalias.net
[email protected]
rightsubnet=192.168.177.0/24
#
ikelifetime=4h
keylife=1h
#
authby=secret
auto=route
include /var/lib/strongswan/ipsec.conf.inc
xxx.xxx.xxx.20: eth0 primary public IP of Ubuntu 10.04.2 LTS server
xxx.xxx.xxx.102: eth0 secondary public IP of Ubuntu 10.04.2 LTS server (IPSec connection)
192.168.176.1: dummy0 Test for virtual servers
eth0: 1000Base-T internet-uplink
eth1: unused
# Generated by iptables-save v1.4.4 on Sun Feb 13 21:08:03 2011
*mangle
:PREROUTING ACCEPT [1043039:89521051]
:INPUT ACCEPT [1039944:89073990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1096710:1532915142]
:POSTROUTING ACCEPT [1096710:1532915142]
-A POSTROUTING -o lo -p icmp -m comment --comment "Traffic-shaping Interface: lo Type: ICMP" -j CLASSIFY --set-class 0001:0001
-A POSTROUTING -o lo -p tcp -m comment --comment "Traffic-shaping Interface: lo Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0001:0003
-A POSTROUTING -o lo -m comment --comment "Traffic-shaping Interface: lo Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0001:0004
-A POSTROUTING -o eth0 -p icmp -m comment --comment "Traffic-shaping Interface: eth0 Type: ICMP" -j CLASSIFY --set-class 0002:0001
-A POSTROUTING -o eth0 -p tcp -m comment --comment "Traffic-shaping Interface: eth0 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0002:0003
-A POSTROUTING -o eth0 -m comment --comment "Traffic-shaping Interface: eth0 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0002:0004
-A POSTROUTING -o eth1 -p icmp -m comment --comment "Traffic-shaping Interface: eth1 Type: ICMP" -j CLASSIFY --set-class 0003:0001
-A POSTROUTING -o eth1 -p tcp -m comment --comment "Traffic-shaping Interface: eth1 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0003:0003
-A POSTROUTING -o eth1 -m comment --comment "Traffic-shaping Interface: eth1 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0003:0004
-A POSTROUTING -o dummy0 -p icmp -m comment --comment "Traffic-shaping Interface: dummy0 Type: ICMP" -j CLASSIFY --set-class 0004:0001
-A POSTROUTING -o dummy0 -p tcp -m comment --comment "Traffic-shaping Interface: dummy0 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY --set-class 0004:0003
-A POSTROUTING -o dummy0 -m comment --comment "Traffic-shaping Interface: dummy0 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0004:0004
COMMIT
# Completed on Sun Feb 13 21:08:03 2011
# Generated by iptables-save v1.4.4 on Sun Feb 13 21:08:03 2011
*filter
:INPUT DROP [7:420]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [69:19830]
-A INPUT -i lo -m comment --comment "ACCEPT loopback device" -j ACCEPT
-A INPUT -i dummy0 -m comment --comment "ACCEPT dummy0 device" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "ACCEPT existing connections" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -m comment --comment "ACCEPT ICMP echo-reply" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "ACCEPT ICMP echo-request" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -m comment --comment "ACCEPT ICMP time-exceeded" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -m comment --comment "ACCEPT ICMP source-quench" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/3 -m comment --comment "ACCEPT ICMP port-unreachable" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -m comment --comment "ACCEPT ICMP parameter-problem" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -m comment --comment "ACCEPT ICMP fragmentation-needed" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -m comment --comment "ACCEPT ICMP destination-unreachable" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -p esp -m comment --comment "ACCEPT IPSec ESP" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -m policy --dir in --pol ipsec -m comment --comment "ACCEPT IPSec secured packets" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -p udp -m udp --dport 500 -m comment --comment "ACCEPT IPSec IKE" -j ACCEPT
-A INPUT -m state --state NEW -m recent --set --name DEFAULT --rsource -m comment --comment "Store connection requests"
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 240 --hitcount 10 --name DEFAULT --rsource -m comment --comment "DROP SSH Brute-Force-Attacks" -j DROP
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "ACCEPT SSH connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 21 -m state --state NEW -m comment --comment "ACCEPT FTP connections" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m comment --comment "ACCEPT SMTP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p udp -m udp --dport 53 -m state --state NEW -m comment --comment "ACCEPT DNS UDP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 53 -m state --state NEW -m comment --comment "ACCEPT DNS TCP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "ACCEPT HTTP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 443 -m state --state NEW -m comment --comment "ACCEPT HTTPS connections" -j ACCEPT
-A FORWARD -s 192.168.177.0/24 -d 192.168.176.0/24 -i eth0:0 -m policy --dir in --pol ipsec --reqid 16385 --proto esp -j ACCEPT
-A FORWARD -s 192.168.176.0/24 -d 192.168.177.0/24 -o eth0:0 -m policy --dir out --pol ipsec --reqid 16385 --proto esp -j ACCEPT
COMMIT
# Completed on Sun Feb 13 21:08:03 2011
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
#plutodebug=all
plutodebug="control"
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=no
charonstart=yes
plutostart=yes
# Add connections here.
# Sample VPN connections
conn frankfurt-giessen
left=xxx.xxx.xxx.102
leftsubnet=192.168.176.0/24
leftfirewall=yes
#
ike=aes128-sha-modp1024
esp=aes128-sha1
#
right=xxx.dnsalias.net
[email protected]
rightsubnet=192.168.177.0/24
#
ikelifetime=4h
keylife=1h
#
authby=secret
auto=route
include /var/lib/strongswan/ipsec.conf.inc
--- iptables.save.working 2011-02-13 21:18:55.312905234 +0100
+++ iptables.save.not-working 2011-02-13 21:23:31.475403173 +0100
@@ -7,13 +7,13 @@
eth1: unused
-# Generated by iptables-save v1.4.4 on Sun Feb 13 20:53:08 2011
+# Generated by iptables-save v1.4.4 on Sun Feb 13 21:08:03 2011
*mangle
-:PREROUTING ACCEPT [1033337:88572817]
-:INPUT ACCEPT [1030464:88159548]
+:PREROUTING ACCEPT [1043039:89521051]
+:INPUT ACCEPT [1039944:89073990]
:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [1088515:1531960932]
-:POSTROUTING ACCEPT [1088515:1531960932]
+:OUTPUT ACCEPT [1096710:1532915142]
+:POSTROUTING ACCEPT [1096710:1532915142]
-A POSTROUTING -o lo -p icmp -m comment --comment "Traffic-shaping Interface:
lo Type: ICMP" -j CLASSIFY --set-class 0001:0001
-A POSTROUTING -o lo -p tcp -m comment --comment "Traffic-shaping Interface:
lo Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j CLASSIFY
--set-class 0001:0003
-A POSTROUTING -o lo -m comment --comment "Traffic-shaping Interface: lo
Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class 0001:0004
@@ -27,12 +27,12 @@
-A POSTROUTING -o dummy0 -p tcp -m comment --comment "Traffic-shaping
Interface: dummy0 Type: TCP ACK" -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -j
CLASSIFY --set-class 0004:0003
-A POSTROUTING -o dummy0 -m comment --comment "Traffic-shaping Interface:
dummy0 Type: Small packets" -m length --length 0:64 -j CLASSIFY --set-class
0004:0004
COMMIT
-# Completed on Sun Feb 13 20:53:08 2011
-# Generated by iptables-save v1.4.4 on Sun Feb 13 20:53:08 2011
+# Completed on Sun Feb 13 21:08:03 2011
+# Generated by iptables-save v1.4.4 on Sun Feb 13 21:08:03 2011
*filter
-:INPUT DROP [960:109842]
+:INPUT DROP [7:420]
:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [1088513:1531960805]
+:OUTPUT ACCEPT [69:19830]
-A INPUT -i lo -m comment --comment "ACCEPT loopback device" -j ACCEPT
-A INPUT -i dummy0 -m comment --comment "ACCEPT dummy0 device" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "ACCEPT
existing connections" -j ACCEPT
@@ -47,7 +47,6 @@
-A INPUT -d xxx.xxx.xxx.102/32 -p esp -m comment --comment "ACCEPT IPSec ESP"
-j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -m policy --dir in --pol ipsec -m comment
--comment "ACCEPT IPSec secured packets" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.102/32 -p udp -m udp --dport 500 -m comment --comment
"ACCEPT IPSec IKE" -j ACCEPT
--A INPUT -s 192.168.177.0/24 -d 192.168.176.0/24 -m policy --dir in --pol
ipsec --reqid 16385 --proto esp -m comment --comment "ACCEPT IPSec secured
packets" -j ACCEPT
-A INPUT -m state --state NEW -m recent --set --name DEFAULT --rsource -m
comment --comment "Store connection requests"
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW
-m recent --update --seconds 240 --hitcount 10 --name DEFAULT --rsource -m
comment --comment "DROP SSH Brute-Force-Attacks" -j DROP
-A INPUT -d xxx.xxx.xxx.102/32 -p tcp -m tcp --dport 22 -m state --state NEW
-m comment --comment "ACCEPT SSH connections" -j ACCEPT
@@ -57,8 +56,10 @@
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 53 -m state --state NEW -m
comment --comment "ACCEPT DNS TCP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 80 -m state --state NEW -m
comment --comment "ACCEPT HTTP connections" -j ACCEPT
-A INPUT -d xxx.xxx.xxx.20/32 -p tcp -m tcp --dport 443 -m state --state NEW
-m comment --comment "ACCEPT HTTPS connections" -j ACCEPT
+-A FORWARD -s 192.168.177.0/24 -d 192.168.176.0/24 -i eth0:0 -m policy --dir
in --pol ipsec --reqid 16385 --proto esp -j ACCEPT
+-A FORWARD -s 192.168.176.0/24 -d 192.168.177.0/24 -o eth0:0 -m policy --dir
out --pol ipsec --reqid 16385 --proto esp -j ACCEPT
COMMIT
-# Completed on Sun Feb 13 20:53:08 2011
+# Completed on Sun Feb 13 21:08:03 2011
# ipsec.conf - strongSwan IPsec configuration file
@@ -82,7 +83,7 @@
conn frankfurt-giessen
left=xxx.xxx.xxx.102
leftsubnet=192.168.176.0/24
- #leftfirewall=yes
+ leftfirewall=yes
#
ike=aes128-sha-modp1024
esp=aes128-sha1
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
