Strongswan (v5.0.4) is running on my gateway. Tcpdump is clearly showing the packets making their way to the client (on my wan and lan), though I do not see anything coming back in return. I don't think the packets are being filtered on the way to the client device or back; I connected the device to my wifi network and experience the same issues. I currently have the following firewall rules enabled:
iptables -I INPUT -p udp --dport 500 -j ACCEPT iptables -I INPUT -p udp --dport 4500 -j ACCEPT when the tunnel comes up, two more entries are added: ACCEPT all -- 10.10.10.1 67.215.65.0/24 policy match dir in pol ipsec reqid 1 proto ipv6-crypt ACCEPT all -- 67.215.65.0/24 10.10.10.1 policy match dir out pol ipsec reqid 1 proto ipv6-crypt Why did strongswan insert these rules and what do they mean? Neither my client device or my strongswan server are on the 67.215.65.0/24 ip range. I have no idea where strongswan is getting this 67.xxx network range. Is this correct? > Subject: Re: [strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10 > From: mar...@strongswan.org > To: gawd0...@hotmail.com > CC: users@lists.strongswan.org > Date: Mon, 16 Sep 2013 09:46:05 +0200 > > Hi, > > > client device (24.114.94.100) connect to the server (99.234.220.200, > > LAN ip-192.168.16.50) via public key authentication, and to have access > > to the LAN (192.168.16.0/24) behind the server. [...] I cannot ping > > between the host and client, or reach the subnet behind the host. > > There are no errors when connecting, and I am issued a virtual ip > > (10.10.10.1): > > I assume that the VPN client has a route to the host you ping. But does > the host in your LAN has a route to the client, i.e. does it know where > 10.10.10.1 is? > > If the IPsec gateway is not your default gateway, you'll have to install > a route on each LAN host for the 10.10.10.0/24 subnet. > > Alternatively you might consider assigning unused addresses from > 192.168.16.0/24 to the clients, statically or using the dhcp plugin. > Then the farp plugin on your IPsec gateway could take care of responding > to ARP responses on behalf of the IPsec clients. > > If that all does not help, you should run a network sniffer to see where > your pings gets lost. Also, make sure IP forwarding is enabled on the > IPsec gateway. > > Regards > Martin > > [1]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin >
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
