<div dir="ltr">Hi Noel.<div>My postrouting chain contains following entries:</div><div><p style="margin:0px;font-size:11px;font-family:Menlo">Chain POSTROUTING (policy ACCEPT)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">target prot opt source destination </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">MASQUERADE all -- <a href="http://10.0.0.0/24">10.0.0.0/24</a> anywhere </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">MASQUERADE all -- <a href="http://192.168.2.0/24">192.168.2.0/24</a> anywhere </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">MASQUERADE all -- !<a href="http://cpe-86-xx-xxx-xxx.static.xxx.net">cpe-86-xx-xxx-xxx.static.xxx.net</a> anywhere </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">MASQUERADE all -- anywhere anywhere MARK match 0xd001 </p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">
I've tried to log all packages in different chains (see part of log at bottom) and I didn't find any traces of virtual IP (10.0.0.2), just iPhones wan IP and server wan IP. Is that OK ? </p><p style="margin:0px;font-size:11px;font-family:Menlo">
<br></p><p style="margin:0px;font-size:11px;font-family:Menlo">I've tried:</p><p style="margin:0px;font-size:11px;font-family:Menlo">iptables -I INPUT -j LOG --log-prefix "Luka-log: "</p><p style="margin:0px;font-size:11px;font-family:Menlo">
Part of logs(IPs are replaced with "x", 46.x is iPhone IP and 86.x is server external IP):</p><p style="margin:0px;font-size:11px;font-family:Menlo">Nov 13 19:21:34 vpn: + C=SI, O=Lupo, CN=clientLupo <a href="http://10.0.0.2/32">10.0.0.2/32</a> == 46.x.x.x -- 86.x.x.x == %any/0<br>
</p><p style="margin:0px;font-size:11px;font-family:Menlo">...</p><p style="margin:0px;font-size:11px;font-family:Menlo">Nov 13 19:22:06 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=25376 PROTO=ESP SPI=0xc1155ce9 <br>
</p><p style="margin:0px;font-size:11px;font-family:Menlo">...</p><p style="margin:0px;font-size:11px;font-family:Menlo">Nov 13 19:22:07 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=23923 PROTO=ESP SPI=0xc1155ce9<br>
</p><p style="margin:0px;font-size:11px;font-family:Menlo">...</p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">
iptables -I PREROUTING -j LOG --log-prefix "Luka-log(nat-PREROUTING): " -t nat </p><p style="margin:0px;font-size:11px;font-family:Menlo">Logs:</p><p style="margin:0px;font-size:11px;font-family:Menlo">...(2 or 3 packages of this type)</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Nov 13 20:54:52 kernel: Luka-log(nat-PREROUTING): <4>Luka-log(nat-PREROUTING): IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=696 TOS=0x00 PREC=0x00 TTL=56 ID=58415 PROTO=UDP <1>SPT=500 DPT=500 LEN=676 <br>
</p><p style="margin:0px;font-size:11px;font-family:Menlo">...</p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">iptables -I FORWARD -j LOG --log-prefix "Luka-log(nat-FORWARD): "</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Logs: vpn logs not found</p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">iptables -I POSTROUTING -j LOG --log-prefix "Luka-POSTROUTING-MASQUERADE: " -t nat -s <a href="http://10.0.0.0/24">10.0.0.0/24</a></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Logs: vpn logs not found</p><p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">Any idea what else should I check ? </p>
<p style="margin:0px;font-size:11px;font-family:Menlo"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">Luka</p></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Nov 10, 2013 at 5:02 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
</div>Hello Luka,<br>
<br>
What other rules do you have in the POSTROUTING chain? If any other rule removes the packets from the chain, then they don't reach the MASQUERADE rule and hence<br>
won't get masqueraded.<br>
<br>
The rule basicly says: If the traffic is going out on the eth0 interface and the source is <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> and the destination ist <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>, then masquerade it.<br>
Masquerade basicly means NAT, but it will replace the source IP of the traffic based on the interface it's going out.<br>
No, the parameters that are displayed in the first couple of columns are just filters that restrict traffic going to the target.<br>
For further clarification, I recomment you read the manpage for iptables and iptables-extensions (if the latter exists on your system. It does on Arch Linux.).<br>
For your setup, I recomment you ommit -o eth0 and INSERT, and not APPEND the rule to the chain.<br>
Example: iptables -I POSTROUTING 1 -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> -j MASQUERADE<br>
<br>
Regards<br>
Noel Kuntze<br>
<div class="im"><br>
On 10.11.2013 16:31, Luka wrote:<br>
><br>
> Hi Noel.<br>
><br>
> Still no luck.<br>
><br>
> I’ve added masquerade, following line is added to nat iptable:<br>
><br>
> Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
> …<br>
><br>
</div>> 4 0 0 MASQUERADE all -- * eth0 <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> What exactly does this masquerade record means ? Probably that all packets from <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> network that have any(0.0.0.0) destination will get IP address of eth0 device ?<br>
<div class="im">><br>
> But eth0 is device with external IP of server (86.58.x.x) (see ifconfig output below), should I use br0 device here (the one with local IP of router) ?<br>
><br>
><br>
> Ok, if I sum up my situation:<br>
><br>
> CLIENT(iPhone):<br>
><br>
> - I can connect to IPsec(strongswan)<br>
><br>
> - gets virtual IP Address: 10.0.0.2<br>
><br>
><br>
</div>> SERVER (strongswan v5.0.4, on my router, Linux 2.6.22.19):<br>
<div class="im">><br>
> - local IP: 192.168.2.1<br>
><br>
> - external IP 86.58.x.x<br>
><br>
> ipsec statusall:<br>
><br>
> Virtual IP pools (size/online/offline):<br>
><br>
</div>> 10.0.0.2 <<a href="http://10.0.0.2" target="_blank">http://10.0.0.2</a>>: 1/1/0<br>
<div class="im">><br>
> Listening IP addresses:<br>
><br>
> 86.58.x.x<br>
><br>
> 192.168.2.1<br>
><br>
><br>
> Security Associations (1 up, 0 connecting):<br>
><br>
> ios[2]: ESTABLISHED 19 seconds ago, 86.58.x.x[C=SI, O=Lupo, CN=86.58.x.x]…46.123.x.x[C=SI, O=Lupo, CN=clientLupo]<br>
><br>
> ios[2]: Remote XAuth identity: lupo<br>
><br>
> ios[2]: IKEv1 SPIs: cd789eae5d666586_i 638f1ca174f85726_r*, public key reauthentication in 2 hours<br>
><br>
> ios[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br>
><br>
> ios{1}: INSTALLED, TUNNEL, ESP SPIs: c7f2d740_i 0829cc4a_o<br>
><br>
> ios{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes<br>
><br>
</div>> ios{1}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>><br>
<div class="im">><br>
><br>
> iptables:<br>
><br>
> This entries are added to FORWARD chain after I connect to server:<br>
><br>
><br>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div><div class="im">> 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> policy match dir in pol ipsec reqid 2 proto 50<br>
><br>
</div>> 2 0 0 ACCEPT all -- * eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> 10.0.0.2 policy match dir out pol ipsec reqid 2 proto 50<br>
<div class="im">><br>
><br>
> iptables(nat table):<br>
><br>
> Chain PREROUTING (policy ACCEPT 4188 packets, 599K bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 1 60 ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1194<br>
><br>
> 2 305 54089 VSERVER all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> 86.58.x.x<br>
<div class="im">><br>
><br>
> Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 0 0 MASQUERADE all -- * tun11 <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 2 731 46984 MASQUERADE all -- * eth0 !86.58.x.x <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> 3 0 0 MASQUERADE all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> MARK match 0xd001<br>
><br>
> 4 0 0 MASQUERADE all -- * eth0 <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> Chain OUTPUT (policy ACCEPT 2489 packets, 220K bytes)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> Chain LOCALSRV (0 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> Chain VSERVER (1 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> 1 1 123 DNAT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1184 to:<a href="http://192.168.2.100:1194" target="_blank">192.168.2.100:1194</a> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>><br>
><br>
> 2 0 0 DNAT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:1184 to:<a href="http://192.168.2.100:1194" target="_blank">192.168.2.100:1194</a> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>><br>
><br>
> 3 304 53966 VUPNP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div><div class="h5">><br>
><br>
> Chain VUPNP (1 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> Chain YADNS (0 references)<br>
><br>
> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
><br>
> ifconfig:<br>
><br>
> br0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0<br>
><br>
> inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0<br>
><br>
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
><br>
> RX packets:20577 errors:0 dropped:0 overruns:0 frame:0<br>
><br>
> TX packets:16212 errors:0 dropped:0 overruns:0 carrier:0<br>
><br>
> collisions:0 txqueuelen:0<br>
><br>
> RX bytes:7597057 (7.2 MiB) TX bytes:2892960 (2.7 MiB)<br>
><br>
><br>
> eth0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0<br>
><br>
> inet addr:86.58.x.x Bcast:86.58.y.y Mask:255.255.255.0<br>
><br>
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
><br>
> RX packets:665392 errors:0 dropped:0 overruns:0 frame:0<br>
><br>
> TX packets:1473423 errors:0 dropped:0 overruns:0 carrier:0<br>
><br>
> collisions:0 txqueuelen:1000<br>
><br>
> RX bytes:83612848 (79.7 MiB) TX bytes:1996770618 (1.8 GiB)<br>
><br>
> Interrupt:4 Base address:0x2000<br>
><br>
> ...<br>
><br>
> btw, should tunnel, that is created by strongswan, appear in this ifconfig list ?<br>
><br>
><br>
> I’m probably missing another piece of puzzle.<br>
><br>
> Is there any other log file except strongswan log, that should I examine ?<br>
><br>
><br>
> Thanks<br>
><br>
> Luka<br>
><br>
><br>
><br>
</div></div>> On Sun, Nov 10, 2013 at 3:38 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
><br>
> Sorry, it is "iptables -A POSTROUTING -t nat -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> -o eth0 -j MASQUERADE"<br>
<div class="im">> On 10.11.2013 15:05, Noel Kuntze wrote:<br>
><br>
> > Hello Luka,<br>
><br>
> > You need to masquerade the traffic from your iPhone to the LAN or the internet.<br>
> > You do this with either the MASQUERADE or the SNAT target in iptables.<br>
</div>> > Example: iptables -A FORWARD -t nat -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> -o eth0 -j MASQUERADE<br>
<div class="im">><br>
> > Regards<br>
> > Noel Kuntze<br>
><br>
> > On 10.11.2013 11:50, Luka wrote:<br>
> > > Hi.<br>
> > > I've found way to fix that error: "iptables: No chain/target/match by that name" by executing command:<br>
><br>
> > > insmod xt_policy<br>
><br>
><br>
> > > Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to FORWARD chain:<br>
><br>
> > > Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> > > num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> policy match dir in pol ipsec reqid 1 proto 50<br>
><br>
> > > 2 0 0 ACCEPT all -- * eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> 10.0.0.2 policy match dir out pol ipsec reqid 1 proto 50<br>
<div class="im">><br>
><br>
> > > I'm using config:<br>
><br>
> > > conn %default<br>
><br>
> > > keyexchange=ikev1 Read the manpage for it<br>
><br>
> > > authby=xauthrsasig<br>
><br>
> > > xauth=server<br>
><br>
><br>
><br>
> > > #leftid = subject alt. name (v certifikatu)<br>
><br>
> > > conn ios<br>
><br>
> > > left=%defaultroute<br>
><br>
</div>> > > leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > leftcert=serverCert.pem<br>
><br>
> > > leftfirewall=yes<br>
><br>
<div class="im">> > But I still can't access my LAN (<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.<br>
><br>
> > I've no idea what else should I try. I give up.<br>
><br>
</div>> > > right=%any<br>
><br>
> > > rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
><br>
> > > rightsourceip=10.0.0.2<br>
><br>
> > > auto=add<br>
><br>
> > > rightcert=clientCert.pem<br>
><br>
><br>
><br>
> > > But I still can't access my LAN (<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.<br>
<div class="im">><br>
> > > I've no idea what else should I try. I give up.<br>
><br>
><br>
> > > L<br>
><br>
><br>
><br>
><br>
</div><div class="im">> > > On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> wrote:<br>
><br>
><br>
> > > Hello Luka,<br>
><br>
</div><div class="im">> > > I actually meant the config which you created after I sent you that link [1].<br>
> > > I don't know exactly why there are retransmits happening, but in general, the setup should work.<br>
><br>
> > > [1] <a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
><br>
> > > Regards<br>
> > > Noel Kuntze<br>
><br>
> > > On 07.11.2013 23:03, Luka wrote:<br>
> > >> Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):<br>
><br>
> > >> conn %default<br>
><br>
> > >> keyexchange=ikev1<br>
><br>
> > >> authby=xauthrsasig<br>
><br>
> > >> xauth=server<br>
><br>
><br>
><br>
> > >> conn ios<br>
><br>
> > >> left=86.xx.xx.x35<br>
><br>
> > >> leftcert=serverLupoCert.pem<br>
><br>
</div>> > >> leftsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>><br>
<div class="im">><br>
> > >> leftfirewall=yes<br>
><br>
> > >> right=%any<br>
><br>
> > >> rightsourceip=10.3.0.1<br>
><br>
> > >> auto=add<br>
><br>
> > >> rightcert=clientLupoCert.pem<br>
><br>
><br>
> > >> Do I have to put server's WAN Ip address for "left" or local IP ?<br>
><br>
> > >> Configuration is simmilar to this one:<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html</a>.<br>
> > >> I've checked iptables -L command on that site <<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables</a>> and compared it with mine.<br>
> > >> It looks like mine is missing some forwarding rules.<br>
> > >> Mine:<br>
><br>
> > >> iptables -L -v -n --line-numbers<br>
><br>
> > >> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)<a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
><br>
> > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > >> 1 236 31088 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > >> 2 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:4500<br>
><br>
> > >> 3 196 68288 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:500<br>
><br>
> > >> 4 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > >> 5 1138 105K ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1194<br>
><br>
> > >> 6 0 0 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > >> Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > >> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > >> 2 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > >> 3 5 344 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > >> 4 22028 1928K ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state RELATED,ESTABLISHED<br>
><br>
> > >> 5 0 0 logdrop all -- !br0 eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > >> 6 28 1432 logdrop all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state INVALID<br>
><br>
> > >> 7 0 0 ACCEPT all -- br0 br0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > >> 8 1344 80640 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> ctstate DNAT<br>
><br>
> > >> 9 32811 2190K ACCEPT all -- br0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > >> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)<br>
><br>
> > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > >> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > >> Chain FUPNP (0 references)<br>
><br>
> > >> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> > >> Chain PControls (0 references)<br>
><br>
> > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > >> 1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > >> Chain logaccept (0 references)<br>
><br>
> > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > >> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `ACCEPT '<br>
><br>
> > >> 2 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > >> Chain logdrop (2 references)<br>
><br>
> > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > >> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `DROP'<br>
><br>
> > >> 2 28 1432 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > >> If I understand "leftfirewall=yes" command, it should put those rules into iptables.<br>
><br>
> > >> I've checked charon log file and found this error:<br>
><br>
> > >> cat strongswancharon.log | grep iptables<br>
><br>
> > >> Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables<br>
><br>
> > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
> > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
><br>
> > >> Am I missing some modules here or something ?<br>
><br>
> > >> How can I get/log those commands for iptables, that strongswan executes ?<br>
><br>
><br>
> > >> Thanks.<br>
><br>
><br>
><br>
</div><div><div class="h5">> > >> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> wrote:<br>
><br>
><br>
> > >> Hello Luka,<br>
><br>
> > >> Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.<br>
><br>
> > >> Regards<br>
> > >> Noel Kuntze<br>
><br>
> > >> On 07.11.2013 10:51, Luka wrote:<br>
> > >>> Now I've tried to load modules by hand. I've added following line to strongswan.conf:<br>
> > >>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic<br>
><br>
> > >>> And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.<br>
> > >>> Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":<br>
><br>
> > >>> ...<br>
> > >>> Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'<br>
> > >>> ...<br>
> > >>> Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'<br>
> > >>> ...<br>
> > >>> Nov 7 10:31:12 14[CFG] left is other host, swapping ends<br>
> > >>> ...<br>
> > >>> Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>
> > >>> ...<br>
> > >>> Nov 7 10:13:56 05[IKE] remote host is behind NAT<br>
> > >>> ...<br>
> > >>> Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful<br>
> > >>> ...<br>
> > >>> Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED<br>
> > >>> ...<br>
> > >>> Nov 7 10:13:57 12[IKE] peer requested virtual IP %any<br>
> > >>> Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'<br>
> > >>> ...<br>
> > >>> Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished<br>
> > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left<br>
> > >>> ...<br>
> > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished<br>
> > >>> ...<br>
> > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING<br>
> > >>> Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]<br>
> > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING<br>
> > >>> Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful<br>
> > >>> Nov 7 10:14:13 02[NET] waiting for data on sockets<br>
> > >>> Nov 7 10:14:25 15[JOB] got event, queuing job for execution<br>
> > >>> Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting<br>
> > >>> Nov 7 10:14:25 06[MGR] checkout IKE_SA<br>
><br>
> > >>> Should I put something else instead of "right=%any" ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > _______________________________________________<br>
> > Users mailing list<br>
</div></div>> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
<div class="im">> > <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQIcBAEBCAAGBQJSf64LAAoJEDg5KY9j7GZYwV0QAJOdf6h+ub20kurhfoyCTypv<br>
fuKNs22i4batpPoSRyxI+f2PcLE0ojos6FF1aR3BRdQbWhGwe8nZHxVT2eOiCdPV<br>
4+J/EBfXRG+uKhKCrBJWqZdcmCenJmb2kfG0e0DxO2FWmqvh/r5YyS1zz7IM6e0B<br>
WQg4d8UaKxSvso6XRDLJErscqHxeUx57QtLk03/boz75fmwGq75l7LlGDjt6PMJ5<br>
EC97ipXgdf5tZj7OfEHM4p9UYzzjBuGq6RdFtX1SiZMhAKCJGp8I33yGs92hJhUG<br>
gF+C735qwJlz9WXKS7pIHeyjekCOUQpmn4UEcJBwP+sVPQowfTWLttH6FtcRAPHM<br>
M9st8xTfabOhlqjU/AZ9ws8FvojDN2fLcfhoHkkycbcXgcTBdm8oEiakHju7PUaW<br>
JUazZD9xxFgQrCEuLATBlwi3YT5Nph8JiAHBfSJ2qnI55/2uU806w+GcKG+Jna9q<br>
qRFGKWUQi1OF9KSjzfzgHMLxyPmVc1xYGH8rxviN7p9zsJqpRZx/rMXunrgSGpVy<br>
IY5+bJv8+qWqbBjz2mzL5RS3OjWBD5163gZPE68eVxYJQzs1SvUv6EntDS5kPag+<br>
KadLEyabq1zo+MAC5TIsucfSTrDjU/iBTtOzKO4gqDoaBe8gNX+ZdGccjqSMJJpt<br>
GBYSeSk0qahEDa8nL9jN<br>
=uJPU<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div>