We are struggling to get the AirPlay/ Bonjour announcements forwarded to the roadwarriors and would kindly ask for advice what is missing and preventing us from using AirPlay devices.
Roadwarrior-kids' iOS devices are managed and supervised by OS X server. A profile with an always-on VPN setting to our StrongSwan server is pushed to all their devices. So even within local LAN, kids' devices use VPN connection. All http traffic from roadwarrior-kids thru VPN tunnel is forwarded to different ports on local machine to which local Squid is listening. This is to enable logging of kids Internet traffic. This works well. Avahi running on StrongSwan machine to forward Bonjour announcements. AirPlay devices are unfortunately *not* announced to roadwarriors iOS devices on VPN tunnel. Please help. Thank you very much. Setup: 192.168.178.1 DSL Modem Router w/ Firewall enabled ports forwarded accordingly to StrongSwan and MacMini machines 192.168.178.10 RaspBerryPi w/ vanilla Raspian Jessie Lite running StrongSwan only one interface eth0 involved avahi-daemon running w/ reflector setting enabled squid running as proxy without caching 192.168.178.3 MacMini running OS X server w/ open directory, DNS, DHCP, profile manager enabled myserver.mydomain.net <http://myserver.mydomain.net/> resolved by MacMini to its own address 192.168.178.3 so devices on LAN don't have to go thru DSL Modem Router 192.168.178.220 VPN IP address of roadwarrior-kid1. avahi-daemon.conf includes: domain-name=alocal enable-reflector=yes ipsec.conf reads: config setup uniqueids = no conn %default keyexchange=ikev2 ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes1$ esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,ae$ dpdaction=clear dpddelay=300s authby=pubkey left=%any leftsubnet=0.0.0.0/0 leftcert=strongSwan-Cert.der leftsendcert=always leftid=myserver.mydomain.net leftfirewall=yes right=%any keyexchange=ikev2 auto=add conn roadwarrior-kid1 [email protected] rightsourceip=192.168.178.220 rightdns=208.67.222.123,208.67.220.123 conn roadwarrior-kid2 ... conn roadwarrior-kid3 ... iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 192.168.178.220 anywhere tcp dpt:http redir ports 55220 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.178.220 anywhere policy match dir out pol ipsec MASQUERADE all -- 192.168.178.220 anywhere iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.178.220 anywhere policy match dir in pol ipsec reqid 189 proto esp ACCEPT all -- anywhere 192.168.178.220 policy match dir out pol ipsec reqid 189 proto esp Chain OUTPUT (policy ACCEPT) target prot opt source destination
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
