Hi Arne, > My router has ports 500/4500 fwd to 192.168.0.3 (both TCP/UDP)
Only UDP is required. > and the ESP protocoll is bound to 192.168.0.3 Not needed as ESP will be UDP encapsulated and sent to port 4500 due to the NAT. > I added following nat POSTROUTING according to [1] (tried with -s > 172.10.1.0/24 and now omitted the -s completely) To avoid conflicts you should probably add -s. If you capture traffic on the server do you see packets getting natted properly? > $ iptables -L -t nat You can check the counters with -v to see if any of the rules matched. > These are the FORWARD policies applied due to leftfirewall=yes > (leftfirewall=no doesn't work, as well) Since the policy of the FORWARD chain is set to ACCEPT the rules added via leftfirewall serve no purpose, so disabling it is fine as well (but you should see the counters increase if they are installed). Can you reach the VPN server itself from the client (i.e. 192.168.0.3)? What about the router (192.168.0.1)? If not, what exactly happens with the packets (try tcpdump/wireshark, or [1])? Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
