Hi, many thanks for the help. From 3.3.3.123 I can ping now into the subnet. What has to be done to connect all hosts from 3.3.3.0/24 <-> 10.0.1.0/24 ? I've enabled ip forwarding at 3.3.3.123 and tried it on another host setting a static route for the network 10.0.1.0 pointing to 3.3.3.123. traceroute shows that all packages are reaching the "router", but seemed not to be routed ...
Any idea ? Bye, Peer Am 06.06.2012 17:53, schrieb Andreas Steffen:
Oops, I forget to add the nat table: iptables -t nat -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \ --dir out --pol ipsec --proto esp -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE Andreas On 06/06/2012 05:37 PM, Andreas Steffen wrote:Hi, a normal net2net connection should do the trick: http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/ with left=3.3.3.123 leftsubnet=3.3.3.0/22 right=2.2.2.2 rightsubnet=10.0.1.0/24 Just make sure that in the 10.0.1.0/24 network there is a route to the 3.3.3.0/22 net via the [default] gateway 10.0.1.1 and in the 3.3.3.0/22 network a route exists which directs traffic for the 10.0.1.0/24 network to 3.3.3.123. If gateway 2.2.2.2 is NAT-ing traffic from the 10.10.1.0/24 network towards the Internet then you must exempt the traffic to be tunneled from the NAT rule by inserting an IPsec policy rule into your firewall: iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \ --dir out --pol ipsec --proto esp -j ACCEPT iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE assuming the 2.2.2.2 is eth0. Best regards Andreas On 06/06/2012 02:41 PM, Dr.Peer-Joachim Koch wrote:Hi, I'm trying to find out how build something like a side2side connection using strongswan. We have an external host with a private subnet (10.0.1.0/24). This subnet should be visible from the gw host and all hosts within the subnet of gw host. Here is an overview external host 10.0.1.0/24 - 10.01.1 2.2.2.2 gw host 3.3.3.0/22 - 3.3.3.123 So how can I make the external network accessaible from our network ? I did not find any example (or did not look at the right place ..). The host-host connection is working fine, but a ping into the external network does not reach the destination, but can be seen in the log of the external host. Therefore the routing (in both directions) seems to be the problem. Any help would be welcome!====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
--
Mit freundlichem Gruß
Peer-Joachim Koch
_________________________________________________________
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
<<attachment: pkoch.vcf>>
smime.p7s
Description: S/MIME Kryptografische Unterschrift
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
