I am attempting to set up a strongswan connection between my home's redhat linux router and my work's redhat linux router. Both are running Redhat 8 and have the strongswan binaries installed from https://pkgs.org/download/strongswan.
The connection appears to be successful but I cannot talk to anything on either side of the connection, e.g. I cannot ping either router or any machines on either side of the connection. I have set up the iptables postrouting rules per the wiki. Might someone give me a clue figuring out where else I should look to get it working? Thank you. WorkRouter swanctl.conf: connections { homenet { version=2 local_addrs=WORK.PUBLIC.IP.ADDRESS proposals=aes256-sha1-modp1024 remote_addrs=HOME.PUBLIC.IP.ADDRESS children { homenet { esp_proposals=aes256-sha1 remote_ts=192.168.127.0/24 local_ts=192.168.126.0/24 } } } } HomeRouter swanctl.conf: worknet { version=2 local_addrs=HOME.PUBLIC.IP.ADDRESS proposals=aes256-sha1-modp1024 remote_addrs=WORK.PUBLIC.IP.ADDRESS children { worknet { esp_proposals=aes256-sha1 local_ts=192.168.127.0/24 remote_ts=192.168.126.0/24 } } } HomeRouter initiating connection: swanctl --initiate --ike worknet --child worknet [IKE] initiating IKE_SA worknet[4] to WORK.PUBLIC.IP.ADDRESS [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[500] to WORK.PUBLIC.IP.ADDRESS[500] (336 bytes) [NET] received packet: from WORK.PUBLIC.IP.ADDRESS[500] to HOME.PUBLIC.IP.ADDRESS[500] (344 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 [CFG] no IDi configured, fall back on IP address [IKE] authentication of 'HOME.PUBLIC.IP.ADDRESS' (myself) with pre-shared key [IKE] establishing CHILD_SA worknet{1} [ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[4500] to WORK.PUBLIC.IP.ADDRESS[4500] (348 bytes) [NET] received packet: from WORK.PUBLIC.IP.ADDRESS[4500] to HOME.PUBLIC.IP.ADDRESS[4500] (236 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] [IKE] authentication of 'WORK.PUBLIC.IP.ADDRESS' with pre-shared key successful [IKE] IKE_SA worknet[4] established between HOME.PUBLIC.IP.ADDRESS[HOME.PUBLIC.IP.ADDRESS]...WORK.PUBLIC.IP.ADDRESS[WORK.PUBLIC.IP.ADDRESS] [IKE] scheduling rekeying in 13339s [IKE] maximum IKE_SA lifetime 14779s [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ [IKE] CHILD_SA worknet{1} established with SPIs cfd5d0fa_i c4358b01_o and TS 192.168.127.0/24 === 192.168.126.0/24 [IKE] peer supports MOBIKE initiate completed successfully HomeRouter ip xfrm state: src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS proto esp spi 0xc4358b01 reqid 1 mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha1) 0x8d6abe2f321b228663e9c88799dc3d9c78e891a7 96 enc cbc(aes) 0xb3820a34e1bf3f4cb4cb634a4ba9aeeaca17519bd7e323f35ff4726cc09c1c54 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS proto esp spi 0xcfd5d0fa reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x844dfdb29f581e317dad43b0c4a893669b1fa38a 96 enc cbc(aes) 0x130f8dc4bb5b4fd7eec13a595a45883a4b3c7d38b2a2fd0a0db635e9202e8aba anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 HomeRouter ip xfrm policy: src 192.168.127.0/24 dst 192.168.126.0/24 dir out priority 375423 ptype main tmpl src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS proto esp spi 0xc4358b01 reqid 1 mode tunnel src 192.168.126.0/24 dst 192.168.127.0/24 dir fwd priority 375423 ptype main tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS proto esp reqid 1 mode tunnel src 192.168.126.0/24 dst 192.168.127.0/24 dir in priority 375423 ptype main tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS proto esp reqid 1 mode tunnel