<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"HP Simplified";
panose-1:2 11 6 4 2 2 4 2 2 4;}
@font-face
{font-family:"HP Simplified Light";
panose-1:2 11 4 4 2 2 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"HP Simplified Light","sans-serif";
color:#15537D;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"HP Simplified Light","sans-serif";color:#15537D;mso-fareast-language:EN-US">Jeroen,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"HP Simplified Light","sans-serif";color:#15537D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"HP Simplified Light","sans-serif";color:#15537D;mso-fareast-language:EN-US">Have you enabled IPV4 forwarding on your gateway? I am using Ubuntu and the below settings worked for me:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"HP Simplified Light","sans-serif";color:#15537D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">To check if ipforwarding is off:</span><o:p></o:p></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span></i><o:p></o:p></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">sysctl net.ipv4.ip_forward</span></i><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">If it is disabled you will get the following:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">Net.ipv4.ip_forward = 0</span></i><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">To turn on... temporarilally (until the next reboot)..</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">sudo su</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">echo 1 > /proc/sys/net/ipv4/ip_forward</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">Check that this has enabled by….</span><o:p></o:p></p>
<p class="MsoNormal"><i><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">sysctl net.ipv4.ip_forward</span></i><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">You should get a ‘1’ returned.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">Then check to see if this had an impact on the gateway…</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">You may need to do:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">sudo bash
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">[enter password]</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">Ipsec restart</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">If this works…. Then the next thing to do is enable ipforwaring permantly.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">You will need to do:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">sudo nano /etc/sysctl.conf</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">look for the following line and uncomment (remove the hash):</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"HP Simplified Light","sans-serif"">net.ipv4.ip_forward =1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"HP Simplified Light","sans-serif";color:#15537D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"HP Simplified Light","sans-serif";color:#15537D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:9.0pt;font-family:"HP Simplified","sans-serif"">Andy Paton<br>
</span></b><span lang="EN-US" style="font-size:9.0pt;font-family:"HP Simplified","sans-serif";color:#717172"><br>
</span><a href="http://www.hp.com/"><span style="font-size:9.0pt;font-family:"HP Simplified","sans-serif";color:#717172;text-decoration:none"><img border="0" width="30" height="30" id="Picture_x0020_1" src="cid:image001.png@01CE725C.0025AD70" alt="HP"></span></a><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0F243E"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"HP Simplified Light","sans-serif";color:#15537D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"> users-bounces+andy.paton=hp.com@lists.strongswan.org
[mailto:users-bounces+andy.paton=hp.com@lists.strongswan.org] <b>On Behalf Of </b>
Jeroen J.A.W. Hermans<br>
<b>Sent:</b> 26 June 2013 10:31<br>
<b>To:</b> users@lists.strongswan.org<br>
<b>Subject:</b> [strongSwan] Inter-tunnel routing<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Dear all,<br>
<br>
I have a question about a test-scenario i am setting up.<br>
I have two tunnels:<br>
"rw" - laptop with Shrewsoft VPN client<br>
ip: 192.168.2.1/32<br>
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.39)<br>
<br>
"51" - Draytek Vigor 2910 (no pc's connected to Vigor yet)<br>
ip-range: 192.168.51.1/24<br>
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.38)<br>
<br>
The central location is a linux server running Strongswan 5.0.0:<br>
ip-range: 192.168.0.1/24<br>
external ip: xxx.xxx.xxx.xxx<br>
<br>
When i ping from the "51" Draytek (itself) to 192.168.0.1 (Strongswan) it works.<br>
When i ping from the "rw" laptop to 192.168.0.1 (Strongswan) it works<br>
When i ping from the "rw" laptop to 192.168.51.1 (tunnel "51") i get no reply<br>
When i ping from the "51" Draytek to 192.168.2.1 (tunnel "rw") i get no reply<br>
<br>
I have policies in the Draytek and Shrewsoft laptop for all subnets. This can be seen in the tcpdump, where the packets for the remote subnet of the other tunnel arrive at the Strongswan, but are not forwarded.<br>
I have included as much information as possible. I hope someone can help me with this problem.<br>
Thank you very much.<br>
Kind regards,<br>
<br>
Jeroen Hermans<br>
<br>
<br>
<b>$ sudo ip route list table 220<br>
</b>192.168.2.1 via <first-hop-router> dev eth0 proto static src 192.168.0.1<br>
192.168.51.0/24 via <first-hop-router> dev eth0 proto static src 192.168.0.1<br>
<br>
<b>$ sudo tcpdump -i eth0 not ip6 and not port 22 and not port domain<br>
</b>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>
<i>"rw" pings one time to 192.168.0.1</i><br>
11:11:40.410505 IP yyy.yyy.yyy.yyy.ipsec-nat-t > xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc8587ff2,seq=0x3), length 100<br>
11:11:40.410572 IP 192.168.2.1 > 192.168.0.1: ICMP echo request, id 1, seq 234, length 40<br>
11:11:40.410655 IP xxx.xxx.xxx.xxx.ipsec-nat-t > yyy.yyy.yyy.yyy.ipsec-nat-t: UDP-encap: ESP(spi=0xba5fa761,seq=0x3), length 100<br>
<i>"rw" pings one time to 192.168</i>.51.1<br>
11:11:43.377246 IP yyy.yyy.yyy.yyy.ipsec-nat-t > xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc04f2330,seq=0x2), length 100<br>
11:11:43.377331 IP 192.168.2.1 > 192.168.51.1: ICMP echo request, id 1, seq 236, length 40<br>
11:11:43.377367 IP 192.168.2.1 > 192.168.51.1: ICMP echo request, id 1, seq 236, length 40<br>
<br>
<br>
<b>$ sudo ip xfrm policy<br>
</b>src 192.168.51.0/24 dst 192.168.0.0/24<br>
dir fwd priority 1859 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.51.0/24 dst 192.168.0.0/24<br>
dir in priority 1859 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.0.0/24 dst 192.168.51.0/24<br>
dir out priority 1859 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.51.0/24<br>
dir fwd priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.51.0/24<br>
dir in priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.51.0/24 dst 192.168.2.1/32<br>
dir out priority 1827 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.0.0/24<br>
dir fwd priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 390 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.0.0/24<br>
dir in priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 390 mode tunnel<br>
src 192.168.0.0/24 dst 192.168.2.1/32<br>
dir out priority 1827 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy<br>
proto esp reqid 390 mode tunnel<br>
<br>
<br>
<b>$ sudo iptables-save<br>
</b>*filter<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [518:38392]<br>
:OUTPUT ACCEPT [39692:7545269]<br>
-A INPUT -p tcp -m tcp --dport 443:453 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 53 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
-A INPUT -p icmp -j ACCEPT<br>
-A INPUT -i lo -j ACCEPT<br>
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 500 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT<br>
-A INPUT -i eth0 -p esp -j ACCEPT<br>
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br>
-A OUTPUT -o eth0 -p esp -j ACCEPT<br>
COMMIT<br>
*mangle<br>
:PREROUTING ACCEPT [34286:3954457]<br>
:INPUT ACCEPT [33100:3886019]<br>
:FORWARD ACCEPT [518:38392]<br>
:OUTPUT ACCEPT [39696:7546309]<br>
:POSTROUTING ACCEPT [40214:7584701]<br>
COMMIT<br>
*nat<br>
:PREROUTING ACCEPT [1646:110154]<br>
:POSTROUTING ACCEPT [2019:153411]<br>
:OUTPUT ACCEPT [1961:146461]<br>
COMMIT<o:p></o:p></p>
</div>
</body>
</html>