<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Üzenet</TITLE>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16535"></HEAD>
<BODY>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2
face=Arial>Hi,</FONT></SPAN></DIV>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2 face=Arial>Sorry,
I found it! It is working...</FONT></SPAN></DIV>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2 face=Arial>An
iptables command was left, which is prohibited!</FONT></SPAN></DIV>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2 face=Arial>Thank
you!</FONT></SPAN></DIV>
<DIV><SPAN class=092500613-03062010><FONT color=#0000ff size=2
face=Arial>Zsolt</FONT></SPAN></DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px" dir=ltr>
<DIV></DIV>
<DIV dir=ltr lang=hu class=OutlookMessageHeader align=left><FONT size=2
face=Tahoma>-----Original Message-----<BR><B>From:</B>
users-bounces+makai.zsolt=etv.hu@lists.strongswan.org
[mailto:users-bounces+makai.zsolt=etv.hu@lists.strongswan.org] <B>On Behalf Of
</B>Makai Zsolt<BR><B>Sent:</B> Thursday, June 03, 2010 1:12 PM<BR><B>To:</B>
users@lists.strongswan.org<BR><B>Subject:</B> [strongSwan] Net2net and ip
policy<BR><BR></FONT></DIV><!-- Converted from text/rtf format -->
<P><FONT size=2 face="Arial CE">Hi,</FONT> </P>
<P><FONT size=2 face="Arial CE">Please, help me! I have got two strongswan
servers and the connection is ok. I must put a router between "left" and
"leftsubnet":</FONT></P>
<P><FONT size=2 face="Arial CE">Before:
192.168.100.0/22===x.x.x.186---x.x.x.230===192.168.11.0/24</FONT> <BR><FONT
size=2 face="Arial CE">Now: 192.168.100.0/22==={router
192.168.100.254-x.x.x.185}===x.x.x.186---x.x.x.230===192.168.11.0/24</FONT>
</P>
<P><FONT size=2 face="Arial CE">Ipsec.conf:</FONT> <BR><FONT size=2
face="Arial CE">config setup</FONT> <BR><FONT size=2
face="Arial CE"> plutodebug=control</FONT> <BR><FONT size=2
face="Arial CE"> charonstart=no</FONT> </P>
<P><FONT size=2 face="Arial CE">conn %default</FONT> <BR><FONT size=2
face="Arial CE">
left=%defaultroute</FONT> <BR><FONT size=2
face="Arial CE">
leftsubnet=192.168.100.0/22</FONT> </P>
<P><FONT size=2 face="Arial CE">conn paks</FONT> <BR><FONT size=2
face="Arial CE">
right=x.x.x.230</FONT> <BR><FONT size=2
face="Arial CE">
rightsubnet=192.168.11.0/24</FONT> <BR><FONT size=2
face="Arial CE">
authby=secret</FONT> <BR><FONT size=2
face="Arial CE"> auth=esp</FONT>
<BR><FONT size=2 face="Arial CE">
auto=add</FONT> </P>
<P><FONT size=2 face="Arial CE">Ip xfrm policy:</FONT> <BR><FONT size=2
face="Arial CE">src 192.168.100.0/22 dst 192.168.11.0/24</FONT> <BR><FONT
size=2 face="Arial CE"> dir out
priority 2408 ptype main</FONT> <BR><FONT size=2
face="Arial CE"> tmpl src x.x.x.186
dst x.x.x.230</FONT> <BR><FONT size=2
face="Arial CE">
proto esp reqid 16385 mode tunnel</FONT> <BR><FONT size=2 face="Arial CE">src
192.168.11.0/24 dst 192.168.100.0/22</FONT> <BR><FONT size=2
face="Arial CE"> dir fwd priority
2408 ptype main</FONT> <BR><FONT size=2
face="Arial CE"> tmpl src x.x.x.230
dst x.x.x.186</FONT> <BR><FONT size=2
face="Arial CE">
proto esp reqid 16385 mode tunnel</FONT> <BR><FONT size=2 face="Arial CE">src
192.168.11.0/24 dst 192.168.100.0/22</FONT> <BR><FONT size=2
face="Arial CE"> dir in priority
2408 ptype main</FONT> <BR><FONT size=2
face="Arial CE"> tmpl src x.x.x.230
dst x.x.x.186</FONT> <BR><FONT size=2
face="Arial CE">
proto esp reqid 16385 mode tunnel</FONT> </P>
<P><FONT size=2 face="Arial CE">Route:</FONT> <BR><FONT size=2
face="Arial CE">192.168.100.0 x.x.x.185 255.255.252.0
UG 0
0 0 eth1</FONT> <BR><FONT size=2
face="Arial CE">0.0.0.0
x.x.x.180 0.0.0.0
UG 0
0 0 eth1</FONT> </P>
<P><FONT size=2 face="Arial CE">The vpn tunnel has been established, of
course, but the ping from 192.168.100.2 to 192.168.11.3 has been
failed.</FONT> <BR><FONT size=2 face="Arial CE">Tcpdump:</FONT> <BR><FONT
size=2 face="Arial CE">12:45:51.760782 IP 192.168.100.2 > 192.168.11.3:
ICMP echo request, id 512, seq 15360, length 40</FONT> <BR><FONT size=2
face="Arial CE">12:45:51.760931 IP x.x.x.186.euroweb.hu > 192.168.100.2:
ICMP host 192.168.11.3 unreachable - admin prohibited, length 68</FONT></P>
<P><FONT size=2 face="Arial CE">The ipsec.conf i did not change. I removed the
direct network connection to 192.168.100.0/22 from the "left" server and i
rewrote it the routing table.<SPAN lang=en-us></SPAN></FONT><SPAN lang=en-us>
<FONT size=2 face=Arial>What it is necessary to do yet, that allowing let the
route be? </FONT></SPAN></P>
<P><SPAN lang=hu><FONT size=2 face="Arial CE">Thank you,</FONT></SPAN>
<BR><SPAN lang=hu><FONT size=2 face="Arial CE">Zsolt</FONT></SPAN><SPAN
lang=en-us></SPAN><SPAN lang=en-us></SPAN> </P></BLOCKQUOTE></BODY></HTML>