Hi, Provide your nat rules in iptables/nftables (whatever you're using) or provide the complete rule set, as shown with `iptables-save`.
Am 11.04.19 um 09:04 schrieb MOSES KARIUKI: > Hello Noel, Team, > > Any kind souls out there? > Please assist with the below question. > > > On Mon, Apr 8, 2019 at 3:22 PM MOSES KARIUKI <[email protected] > <mailto:[email protected]>> wrote: > > Thanks a lot Noel. The connection is up and stable. Very helpful. > One more thing, the remote client is able to ping my private IP, but i am > unable to ping his private IP address. I have checked and my routes seem OK. > What do you suggest? > > Below is my status: > > */sudo ipsec statusall/* > Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-1008-gcp, > x86_64): > uptime: 28 seconds, since Apr 08 12:14:39 2019 > malloc: sbrk 1622016, mmap 0, used 629024, free 992992 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 5 > loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey > sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink > resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic > counters > Listening IP addresses: > 10.138.0.4 > Connections: > televida: 10.138.0.4...200.**.***.*** IKEv2, dpddelay=30s > televida: local: [35.1**.2**.***] uses pre-shared key > authentication > televida: remote: [200.**.***.***] uses pre-shared key > authentication > televida: child: 10.138.0.0/20 <http://10.138.0.0/20> === > 10.28.2.0/24 <http://10.28.2.0/24> TUNNEL, dpdaction=clear > > Security Associations (1 up, 0 connecting): > televida[1]: ESTABLISHED 23 seconds ago, > 10.138.0.4[35.1**.2**.***]...200.**.***.***[200.**.***.***] > televida[1]: IKEv2 SPIs: 055627d3eb22222f_i 081a1b696be14ad2_r*, > pre-shared key reauthentication in 23 hours > televida[1]: IKE proposal: > AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521 > televida{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5fb101f_i > 82900426_o > televida{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, > rekeying in 41 minutes > televida{2}: 10.138.0.4/32 <http://10.138.0.4/32> === 10.28.2.0/24 > <http://10.28.2.0/24> > kariukims@klick-001:~$ ping 10.28.2.9 > PING 10.28.2.9 (10.28.2.9) 56(84) bytes of data. > ^C > --- 10.28.2.9 ping statistics --- > 3 packets transmitted, 0 received, 100% packet loss, time 56ms > > > Kind regards, > Moses K > > On Mon, Apr 8, 2019 at 3:09 PM MOSES KARIUKI <[email protected] > <mailto:[email protected]>> wrote: > > Thanks a lot Noel. The connection is up and stable. Very helpful. > One more thing, the remote client is able to ping my private IP, but > i am unable to ping his private IP address. I have checked and my routes seem > OK. What do you suggest? > > Kind regards, > Moses K > > > On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze > <[email protected]> wrote: > > Hi, > > You configured "rightsourceip=10.10.10.0/24 > <http://10.10.10.0/24>" but that's supposed to be a site-to-site connection. > Use rightsubnet instead. > rightsourceip is for assigning and requesting virtual IPs. The > best way for you would be to migrate to swanctl instead. > Its configuration format is a lot clearer. > > Kind regards > > Noel > > Am 02.04.19 um 11:27 schrieb MOSES KARIUKI: > > Dear Tobias, > > > > :) :) > > I read the message. But I can't really interpret what setting > is needed to make it work. I have listed my current configuration. I am still > finding my way with Linux networking and Strongswan. > > > > Please assist. I will really appreciate and also offer assist > others. > > > > regards, > > Moses > > > > > > > > On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hi Moses, > > > > > Apr 1 20:57:58 klick-001 charon: 11[IKE] expected a > virtual IP > > > request, sending FAILED_CP_REQUIRED > > > > I guess reading is hard. Or is that message (that you > explicitly marked > > in your email) really that unclear? > > > > Regards, > > Tobias > > >
signature.asc
Description: OpenPGP digital signature
