Boy, do I feel silly. I forgot to enable net.ipv4.ip_forward . I'm still seeing packets sent over eth0, however, but at least I'm also seeing ICMP request/replies over eth1.
Anyone know how I can stop the packets being sent over eth0? If not no big deal I guess. Thanks all. ---------------------- Brandon Gavino (623) 297 - 4097 On Wed, Oct 31, 2012 at 3:29 PM, Brandon Gavino <[email protected]> wrote: > Hi, > > I've been trying for the past few days to figure out this issue, it is > driving me mad! > > I'm able to ping the StrongSwan internal IP address just fine from the > client, however, pings go unanswered to the clients on the subnet fronted > by the VPN server. > > Interestingly, the pings are visible on the WAN interface (eth0) via > Wireshark, but are not passed through the internal interface (eth1). Config > is below; let me know if you need more information. What am I doing wrong?? > > Thank you in advance, > Brandon > > Here's my config: > > ipsec.conf > -- > config setup > #for ikev2 > #plutostart=no > #plutodebug="all" > charondebug="dmn 4, mgr 4, ike 2, chd 4, job 4, cfg 3, knl 4, net 2, > enc 1, lib 4" > #charonstart=no > #nat_traversal=yes > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > > conn ikev1_psk > left=192.168.10.196 > leftsubnet=192.168.20.0/24 > leftsourceip=192.168.20.246 > right=%any > rightsourceip=192.168.20.50/24 > leftfirewall=yes > lefthostaccess=yes > rightauth=psk > leftauth=psk > rightauth2=xauth > auto=add > > strongswan.conf > -- > # strongswan.conf - strongSwan configuration file > > charon { > > # number of worker threads in charon > threads = 16 > > # send strongswan vendor ID? > # send_vendor_id = yes > > #Allow ikeV1 PSK aggressive > i_dont_care_about_security_and_use_aggressive_mode_psk = yes > > plugins { > > #sql { > # loglevel to log into sql database > #loglevel = -1 > > # URI to the database > # database = sqlite:///path/to/file.db > # database = mysql://user:password@localhost/database > #} > } > > # ... > } > > pluto { > > } > > libstrongswan { > > # set to no, the DH exponent size is optimized > # dh_exponent_ansi_x9_42 = no > } > > iptables -L -v > -- > Chain INPUT (policy ACCEPT 425 packets, 29037 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth0 any 192.168.20.51 > 192.168.20.0/24 policy match dir in pol ipsec reqid 1 proto esp > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth0 any 192.168.20.51 > 192.168.20.0/24 policy match dir in pol ipsec reqid 1 proto esp > 0 0 ACCEPT all -- any eth0 192.168.20.0/24 > 192.168.20.51 policy match dir out pol ipsec reqid 1 proto esp > > Chain OUTPUT (policy ACCEPT 600 packets, 426K bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- any eth0 192.168.20.0/24 > 192.168.20.51 policy match dir out pol ipsec reqid 1 proto esp > > iptables -t nat -L -v > -- > Chain PREROUTING (policy ACCEPT 1804 packets, 178K bytes) > pkts bytes target prot opt in out source > destination > > Chain INPUT (policy ACCEPT 257 packets, 52969 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 46 packets, 4187 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 39 packets, 3701 bytes) > pkts bytes target prot opt in out source > destination > 121 11302 MASQUERADE all -- any eth1 192.168.20.0/24 > anywhere > > > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
