Hi Tobias,
I changed forwarding to 500/4500 to only use UDP and deleted the esp - while
that shouldn't have hurt, though.
> To avoid conflicts you should probably add -s. If you capture traffic
> on the server do you see packets getting natted properly?
It doesn't look like anything is going through after the connection
succeedes... I remove the old -t nat FORWARD rules and added them again with -s
$ iptables -t nat -A POSTROUTING -s 172.20.1.0/24 -o eth0 -m policy --dir out
--pol ipsec -j ACCEPT
$ iptables -t nat -A POSTROUTING -s 172.20.1.0/24 -o eth0 -j MASQUERADE
in /var/log/messages I see the connect and disconnect of the client:
May 6 17:06:59 localuser vpn: + 10.145.250.41 172.20.1.1/32 == XXX.XXX.210.187
-- 192.168.0.3 == 0.0.0.0/0
May 6 17:07:59 localuser vpn: + 10.145.250.41 172.20.1.1/32 == XXX.XXX.210.187
-- 192.168.0.3 == 0.0.0.0/0
Before connecting:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any eth0 172.20.1.0/24 anywhere
policy match dir out pol ipsec
0 0 MASQUERADE all -- any eth0 172.20.1.0/24 anywhere
After trying to open a some local adresses (192.168.0.x) on the client
device
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 340 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 340 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any eth0 172.20.1.0/24 anywhere
policy match dir out pol ipsec
0 0 MASQUERADE all -- any eth0 172.20.1.0/24 anywhere
There was zero traffic, when watching the leftfirewall=yes created FORWARD
rules, as well...
I'm not sure if I followed the steps on CorrectTrafficDump correctly and didn't
see anything along the line or if I did something wrong. But I didn't see any
throughput there, too.
The wired thing is, I can connect via PPTP (using PopTop) to the same machine
and browse tunneled through the internet (didn't do any special configuration
there) - However, I'd
rather like to use StrongSwan IKEv2 instead of PopTop PPTP. (Stopping PopTop
didn't make StrongSwan to work)
Thanks,
Arne
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
