That's not an Iptables issue. There is a problem in Strongswan Daemon. I m suspecting that its installing some routes in Kernel.<br><br><br><div class="gmail_quote">On Sat, Apr 14, 2012 at 10:52 AM, Rajiv Kulkarni <span dir="ltr"><<a href="mailto:rajivkulkarni69@gmail.com">rajivkulkarni69@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hi</div>
<div> </div>
<div>can you try by disabling iptables on the GW running Strongswan (iam assuming that it is a linux machine). Try executing these commands, then start ipsec and then send traffic:</div>
<div> </div>
<div>root# iptables -F</div>
<div>root# iptables -F -t nat</div>
<div>root# ipsec start --- or --- ipsec start --nofork</div>
<div> </div>
<div>if above works, then you will need to everytime disable/flush iptables or you can stop the iptables/fw daemon in the services permanently</div>
<div> </div>
<div>hope this helps</div>
<div>rajiv</div>
<div><br><br> </div>
<div class="gmail_quote"><div><div class="h5">On Fri, Apr 13, 2012 at 12:01 AM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com" target="_blank">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br>
</div></div><blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><div><div class="h5">Hi all,<br><br><b>Topology</b><br>+++++++<br> eth0 eth0 eth1 VPN tunnel eth1 <br>
Pc1 ---------------- -------GW ------------------------------ VPN server<br>172.31.114.230 172.31.114.231 50.1.1.239 50.1.1.227<br><br>I have established a VPN tunnel between GW and VPN server using Strongswan. After I established the tunnel the GW is not reachable from PC1 and ping fails. I have seen ARP requests in eth0 of GW, but its not replying for that. But if the tunnel is not there , ping is working fine. Please find my SPD rules below and let me know the reason for ping getting dropped.<br>
<br> <a href="http://0.0.0.0/0%5Bany%5D" target="_blank">0.0.0.0/0[any]</a> 50.1.1.239[any] any<br> fwd prio high + 1073739901 ipsec<br> esp/tunnel/50.1.1.227-50.1.1.239/unique:1<br> created: Apr 12 00:38:26 2012 lastused:<br>
lifetime: 0(s) validtime: 0(s)<br> spid=1378 seq=1 pid=23592<br> refcnt=1<br><br><a href="http://0.0.0.0/0%5Bany%5D" target="_blank">0.0.0.0/0[any]</a> 50.1.1.239[any] any<br> in prio high + 1073739901 ipsec<br>
esp/tunnel/50.1.1.227-50.1.1.239/unique:1<br>
created: Apr 12 00:38:26 2012 lastused:<br> lifetime: 0(s) validtime: 0(s)<br> spid=1368 seq=2 pid=23592<br> refcnt=1<br>50.1.1.239[any] <a href="http://0.0.0.0/0%5Bany%5D" target="_blank">0.0.0.0/0[any]</a> any<br>
out prio high + 1073739901 ipsec<br> esp/tunnel/50.1.1.239-50.1.1.227/unique:1<br> created: Apr 12 00:38:26 2012 lastused:<br> lifetime: 0(s) validtime: 0(s)<br> spid=1361 seq=3 pid=23592<br> refcnt=1<br><br>
Regards,<br>Saravanan N<br><br></div></div>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote></div><br>
</blockquote></div><br>