Hi Mark, > I see the encrypted ICMP echo request come into the server, and then I > see the server send out an ARP request for the other IP on its primary > interface.
Do you have appropriate routes installed for these clients? If not disabled explicitly, charon should install these routes automatically for you. On Linux, these routes are in a dedicated routing table, you can print them using "ip route show table 220". Given that your Internet traffic works, most likely these routes are in place. > > leftcert=pw-hq.com.crt.x509.pem,pw-hq.com.crt-intermediate2.x509.pem,pw-hq.com.crt-intermediate1.x509.pem While this might work, this is not the intended way to configure intermediate CA certificates. You should put them in ipsec.d/cacerts, and just reference your gateway certificate here. > rightsubnet=10.10.0.0/16 > rightsourceip=10.10.128.0/17 Not sure how iOS handles this, but I don't think your rightsubnet is correct. Each connecting client has a single IP on its side, and not the full 10.10.0.0/16 subnet. Just omit the rightsubnet option to narrow it to the selected rightsourceip. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
