Hello Volker, We have 2 identical entries in the xfrm pol:
[root@frqx ~]# ip xfrm pol src 192.168.3.0/24 dst 192.168.169.0/24 dir in priority 1859 tmpl src xx.xx.210.3 dst xx.xx.230.112 proto esp reqid 56 mode tunnel src 192.168.3.0/24 dst 192.168.169.0/24 dir fwd priority 1859 tmpl src xx.xx.210.3 dst xx.xx.230.112 proto esp reqid 56 mode tunnel > if you really disabled IPComp? What can indicate if compression is disabled? Does it make any difference to setup a specific network 192.168.3.0/24 our to leave a wildcard src 0.0.0.0/0 ? Rgds, Serge > ----- Original Message ----- > From: Volker Rümelin > Sent: 01/20/14 09:03 PM > To: s s > Subject: Re: [strongSwan] strongswan-5.1.x, NATed routing pb > > Hello Serge, > > > > > conn academ.certs.locally.stored > > leftsubnet=192.168.169.0/24 > > leftsendcert = never > > right=%any > > rightcert=peercerts/academ2034.hostCert.pem > > rightsendcert = never > > rightsubnet=192.168.3.0/24 //which way is better > > #rightsubnet=0.0.0.0/0 //for the network segment selector? > > keyexchange=ikev2 > > mobike=yes > > compress=no > > auto=add > > > > > > It would be great again if you notice anything specific about the current > > setup to resolve the NATed access problem. > > Can you check with > > [root@frqx ~]# ip xfrm pol > > if you really disabled IPComp? If I remember correctly sometimes it's > necessary to remove compress=yes from conn %default. > > Regards, > Volker _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
