Am 22.03.2017 um 16:05 schrieb Noel Kuntze:
On 22.03.2017 15:37, Thomas Creutz wrote:
Works:
ping from 192.168.0.254 -> 192.168.2.254
Don't Work:
ping from 192.168.0.254 -> 192.168.2.102 (example - host firewall is open
for icmp, and ping from local router to the host works)
The statusall command also don't show me, that the subnet is routed. And when I try to
"route" it I get this:
There are several problems.
1) the default firewall layout and the LUCI management don't with policy based
IPsec. You need to rework it manually and manage the rules manually.
ok, but the other tunnel (conn1 <> conn2) is working good (sorry forgot
to mention it before) in both directions.
conn2new is working only in one direction - from example 192.168.2.101
to 192.168.0.1. But not in the other direction.
Have you any example, how it can be reworked?
2) The MASQUERADE or SNAT rules in the *nat tables SNAT all the traffic. You
need to except IPsec protected traffic from the SNAT/MASQUERADE rules.[1]
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems
I have this rule on both conn2 and conn2new routers as custom rules:
iptables -t nat -A postrouting_rule -d 192.168.0.0/24 -j ACCEPT
and this on conn1 router
iptables -t nat -A postrouting_rule -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A postrouting_rule -d 192.168.2.0/24 -j ACCEPT
So it seems the same - or I miss still something?
Regards,
Thomas
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
