I have a pretty simple setup, with a private OpenVZ CentOS guest acting as my VPN server and a Windows 8 laptop behind NAT as my roadwarrior.
Strongswan is configured according to: http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig OpenVZ machine has 3 major interfaces: venet0 - 127.0.0.1 venet0:0 - VPN_PUBLIC_IP venet0:1 - VPN_PRIVATE_IP During testing, I flush my firewall and add: iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -m policy --dir out --pol ipsec -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source VPN_PUBLIC_IP sysctl -w net.ipv4.ip_forward=1 I can establish the VPN connection fine, and I can ping VPN_PUBLIC_IP and VPN_PRIVATE_IP from roadwarrior. However my outbound data to the Internet... the SNAT works, but I never get a reply. tcpdump of ping request launched by VPN server: 03:28:20.655767 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id 31238, seq 1, length 64 03:28:20.657101 IP 198.41.191.47 > VPN_PUBLIC_IP: ICMP echo reply, id 31238, seq 1, length 64 03:28:21.656533 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id 31238, seq 2, length 64 03:28:21.657896 IP 198.41.191.47 > VPN_PUBLIC_IP: ICMP echo reply, id 31238, seq 2, length 64 tcpdump of ping request launched by roadwarrior: 03:29:32.581933 IP 10.0.0.1 > 198.41.191.47: ICMP echo request, id 1, seq 79, length 40 03:29:32.582033 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id 1, seq 79, length 40 03:29:37.241501 IP 10.0.0.1 > 198.41.191.47: ICMP echo request, id 1, seq 80, length 40 03:29:37.241658 IP VPN_PUBLIC_IP > 198.41.191.47: ICMP echo request, id 1, seq 80, length 40 As you can see, the packet is rewritten, but I never get a reply. I do notice id/seq/length are different, but I am not savvy enough to tell what that means. Can anyone give me any clues or insight as to what may be happening? It looks to me like either the re-written packet is never put onto the wire, or it is corrupted so the remote host does not reply, but again I'm in a little over my head. -Patrick
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
