I wish I could help you more Chris but it sounds like you are having the same problem I am and are stuck in the same spot.... I've asked for help on a number of different forums and this mailing list but no one seems willing or able to help :-\ If you do get it working please make sure to post what you did to fix it and I'll do the same if I get it working.
~ Josiah s. Yeagley -----Original Message----- From: christopher kamutumwa [mailto:[email protected]] Sent: Friday, February 19, 2016 5:55 AM To: Noel Kuntze <[email protected]> Cc: [email protected]; Yeagley, Josiah (U.S. Person) <[email protected]> Subject: Re: stongswan tunnel up but child subnets not pinging Hello, i have made all changes but problem still there need more help. changes made below and attached ipsec.conf/message log/ statusall/routing table/iptable IP forwarding enabled in /etc/sysctl.conf net.ipv4.ip_forward = 1 removed That line is formatted wrong. "-diffie-hellman group 2" is invalid did this Don't declare options multiple times in a conn section. flushed routing table to default-strongSwan does the routing for you. Don't install routes yourself. On 2/16/16, Noel Kuntze <[email protected]> wrote: > On 16.02.2016 18:03, christopher kamutumwa wrote: >> Hi does this mean if I flush my iptables and routing tables >> strongswan willroute and write firewall.and how can I tell that? > No. > strongSwan, by default, inserts routes into table 220 and uses policy > based routing to route the traffic to the remote side(s) into routing > table 220, where routes to the protected subnets are in. > > You seem to not have read the introduction[1] yet. Please read it. added iptables -t nat -I POSTROUTING -s 10.1.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT iptables -t nat -I PREROUTING -s 10.2.0.0/16 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -A input_rule -p esp -j ACCEPT iptables -A input_rule -p udp --dport 500 -j ACCEPT iptables -A input_rule -p udp --dport 4500 -j ACCEPT but still no pings to and from the other side though IKE_SA has always been up. please help CHris > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostr > ongSwan > > (Second mail, first one was sent to Christopher only) > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
