Boy, do I feel silly. I forgot to enable net.ipv4.ip_forward . I'm still seeing packets sent over eth0, however, but at least I'm also seeing ICMP request/replies over eth1.<div><br></div><div>Anyone know how I can stop the packets being sent over eth0? If not no big deal I guess.</div>
<div><br></div><div>Thanks all.</div><div class="gmail_extra"><br clear="all">----------------------<br>Brandon Gavino<br>(623) 297 - 4097<br>
<br><br><div class="gmail_quote">On Wed, Oct 31, 2012 at 3:29 PM, Brandon Gavino <span dir="ltr"><<a href="mailto:bgavino@asu.edu" target="_blank">bgavino@asu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<div><br></div><div>I've been trying for the past few days to figure out this issue, it is driving me mad!</div><div><br></div><div>I'm able to ping the StrongSwan internal IP address just fine from the client, however, pings go unanswered to the clients on the subnet fronted by the VPN server.</div>
<div><br>Interestingly, the pings are visible on the WAN interface (eth0) via Wireshark, but are not passed through the internal interface (eth1). Config is below; let me know if you need more information. What am I doing wrong??<br>
<br>Thank you in advance,<br>Brandon<br><br> Here's my config:<br><br>ipsec.conf<br>--<br>config setup<br> #for ikev2<br> #plutostart=no<br> #plutodebug="all"<br> charondebug="dmn 4, mgr 4, ike 2, chd 4, job 4, cfg 3, knl 4, net 2, enc 1, lib 4"<br>
#charonstart=no<br> #nat_traversal=yes<br><br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br><br>conn ikev1_psk<br> left=192.168.10.196<br> leftsubnet=<a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a><br>
leftsourceip=192.168.20.246<br> right=%any<br> rightsourceip=<a href="http://192.168.20.50/24" target="_blank">192.168.20.50/24</a><br> leftfirewall=yes<br> lefthostaccess=yes<br> rightauth=psk<br>
leftauth=psk<br>
rightauth2=xauth<br> auto=add<br></div><br>strongswan.conf<br>--<br># strongswan.conf - strongSwan configuration file<br><br>charon {<br><br> # number of worker threads in charon<br> threads = 16<br><br> # send strongswan vendor ID?<br>
# send_vendor_id = yes<br> <br> #Allow ikeV1 PSK aggressive<br> i_dont_care_about_security_and_use_aggressive_mode_psk = yes<br><br> plugins {<br><br> #sql {<br> # loglevel to log into sql database<br>
#loglevel = -1<br><br> # URI to the database<br> # database = sqlite:///path/to/file.db<br> # database = mysql://user:password@localhost/database<br> #}<br> }<br><br>
# ...<br>}<br><br>pluto {<br><br>}<br><br>libstrongswan {<br><br> # set to no, the DH exponent size is optimized<br> # dh_exponent_ansi_x9_42 = no<br>}<br><br>iptables -L -v<br>--<br>Chain INPUT (policy ACCEPT 425 packets, 29037 bytes)<br>
pkts bytes target prot opt in out source destination <br> 0 0 ACCEPT all -- eth0 any 192.168.20.51 <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> policy match dir in pol ipsec reqid 1 proto esp <br>
<br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br> 0 0 ACCEPT all -- eth0 any 192.168.20.51 <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> policy match dir in pol ipsec reqid 1 proto esp <br>
0 0 ACCEPT all -- any eth0 <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> 192.168.20.51 policy match dir out pol ipsec reqid 1 proto esp <br><br>Chain OUTPUT (policy ACCEPT 600 packets, 426K bytes)<br>
pkts bytes target prot opt in out source destination <br> 0 0 ACCEPT all -- any eth0 <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> 192.168.20.51 policy match dir out pol ipsec reqid 1 proto esp <br>
<br>iptables -t nat -L -v<br>--<br>Chain PREROUTING (policy ACCEPT 1804 packets, 178K bytes)<br> pkts bytes target prot opt in out source destination <br><br>Chain INPUT (policy ACCEPT 257 packets, 52969 bytes)<br>
pkts bytes target prot opt in out source destination <br><br>Chain OUTPUT (policy ACCEPT 46 packets, 4187 bytes)<br> pkts bytes target prot opt in out source destination <br>
<br>Chain POSTROUTING (policy ACCEPT 39 packets, 3701 bytes)<br> pkts bytes target prot opt in out source destination <br> 121 11302 MASQUERADE all -- any eth1 <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> anywhere <br>
<br><br> <br>
</blockquote></div><br></div>