Hi, everything is working now. But there are two problems I do not undestand:
1) I'll have to ping from 10.0.1.X one time into the otheroffical net to start the tunnel. If I ping in the other direction nothing happens ....
2) After the tunnel is up I can ping (ssh,...) into the 10.0.1.-net from all other computer (routing is working fine) - but only for 60sec! Then it stopped -"destination unreachable ... Any idea ? Bye, Peer Am 06.06.2012 17:37, schrieb Andreas Steffen:
Hi, a normal net2net connection should do the trick: http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/ with left=3.3.3.123 leftsubnet=3.3.3.0/22 right=2.2.2.2 rightsubnet=10.0.1.0/24 Just make sure that in the 10.0.1.0/24 network there is a route to the 3.3.3.0/22 net via the [default] gateway 10.0.1.1 and in the 3.3.3.0/22 network a route exists which directs traffic for the 10.0.1.0/24 network to 3.3.3.123. If gateway 2.2.2.2 is NAT-ing traffic from the 10.10.1.0/24 network towards the Internet then you must exempt the traffic to be tunneled from the NAT rule by inserting an IPsec policy rule into your firewall: iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -m policy \ --dir out --pol ipsec --proto esp -j ACCEPT iptables -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j MASQUERADE assuming the 2.2.2.2 is eth0. Best regards Andreas On 06/06/2012 02:41 PM, Dr.Peer-Joachim Koch wrote:Hi, I'm trying to find out how build something like a side2side connection using strongswan. We have an external host with a private subnet (10.0.1.0/24). This subnet should be visible from the gw host and all hosts within the subnet of gw host. Here is an overview external host 10.0.1.0/24 - 10.01.1 2.2.2.2 gw host 3.3.3.0/22 - 3.3.3.123 So how can I make the external network accessaible from our network ? I did not find any example (or did not look at the right place ..). The host-host connection is working fine, but a ping into the external network does not reach the destination, but can be seen in the log of the external host. Therefore the routing (in both directions) seems to be the problem. Any help would be welcome!====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
--
Mit freundlichem Gruß
Peer-Joachim Koch
_________________________________________________________
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
<<attachment: pkoch.vcf>>
smime.p7s
Description: S/MIME Kryptografische Unterschrift
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
