<div dir="ltr">Thanks for your time Noel.<div>Gurus out there, please help :)</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 14, 2013 at 8:13 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Luka,<br>
<br>
</div>strongSwan receives the packets just fine, so I don't know what exactly the problem is.<br>
Maybe some other member of the mailing list might be able to help you.<br>
<br>
Regards<br>
Noel Kuntze<br>
<div class="im"><br>
On 14.11.2013 08:42, Luka wrote:<br>
> Noel.<br>
> Ok I've created level 3 log files with following scenario:<br>
> - restart router<br>
> - turn off firewall on router (from router web gui)<br>
> - execute following commands(because router was restarted):<br>
><br>
</div>> modprobe /lib/modules/<a href="http://2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko" target="_blank">2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko</a> <<a href="http://2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko" target="_blank">http://2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko</a>><br>
<div class="im">><br>
> insmod xt_policy<br>
><br>
> - enter iptables commands:<br>
><br>
> iptables -I FORWARD -m conntrack --ctstate SNAT -j ACCEPT<br>
><br>
</div>> iptables -I FORWARD -m conntrack -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT<br>
><br>
> iptables -I POSTROUTING 1 -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> -j MASQUERADE -t nat<br>
<div class="im">><br>
><br>
> - start strongswan: ipsec start<br>
> - connect with client(iPhone) to server (client gets virtual ip 10.0.0.2)<br>
> - open safari(iPhone) and try to access some site from LAN: 192.168.2.10<br>
> - wait few seconds (no response ...)<br>
> - stop strongswan: ipsec stop<br>
><br>
> You can grab logs on:<br>
> <a href="https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan.log" target="_blank">https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/strongswan.log</a><br>
> (server/client IPs are censored).<br>
><br>
> Luka<br>
><br>
><br>
</div><div class="im">> On Wed, Nov 13, 2013 at 11:31 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> wrote:<br>
><br>
><br>
> Hello Luka,<br>
><br>
> No, I meant logs of strongSwan.<br>
> The logs you sent earlier don't show active communication between the server and the client.<br>
> Example logger configurations and explanations can be found here [1].<br>
><br>
> [1] <a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration</a><br>
><br>
> Regards<br>
> Noel Kuntze<br>
><br>
> On 13.11.2013 23:25, Luka wrote:<br>
> > Hi.<br>
> > I didn't know about that "conntrack" module.<br>
> > What logs did you mean ? from contrack module ? or from strongswan (already sent those in previous mails).<br>
> > How do you specify log level in conntrack ?<br>
> > There are some entries from conntrack (started connected to vpn, tried to connect some local IPs and then disconnect):<br>
><br>
><br>
> > # cat /proc/net/ip_conntrack | grep 122.<br>
><br>
> > udp 17 104 src=46.x.x.x dst=86.x.x.x sport=500 dport=500 packets=34 bytes=10344 src=86.x.x.x dst=46.x.x.x sport=500 dport=500 packets=25 bytes=7425 [ASSURED] mark=0 use=1<br>
><br>
> > unknown 50 523 src=46.x.x.x dst=86.x.x.x packets=59 bytes=8024 [UNREPLIED] src=86.x.x.x dst=46.x.x.x packets=0 bytes=0 mark=0 use=1<br>
><br>
><br>
> > What does those unreplied packages mean ?<br>
><br>
> > I'm using charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips).<br>
><br>
> > Luka<br>
><br>
</div><div class="im">> > On Wed, Nov 13, 2013 at 10:46 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> wrote:<br>
><br>
><br>
> > Hello Luka,<br>
><br>
</div><div class="im">> > I have to say, that you're using the -I parameter of iptables incorrectly. It needs the position in which the rule should be put as the second parameter.<br>
> > Like that: iptables -I INPUT 1 -j LOG --log-prefix "Luka-log: "<br>
> > If you don't do that, -I works the same way as -A (Append).<br>
><br>
> > The policy of the FORWARD chain seems to be "drop", so you probably have to insert a rule there, too, to allow SNATed (masquerade basicly does this) traffic through.<br>
> > Such a rule looks like this:<br>
> > iptables -A FORWARD -m conntrack --ctstate SNAT -j ACCEPT<br>
> > You need to allow connections from your VPN clients to the LAN:<br>
</div>> > iptables -A FORWARD -m conntrack -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT<br>
<div class="im">><br>
> > Up/down the tunnel and try to ping it directly after that. Also sending us a logfile which shows you trying to communicate with the LAN will help a lot. When logging, please send us logs with default=3.<br>
> > The logfiles can grow quite large over time.<br>
> > Also, what version of strongSwan do you use?<br>
><br>
> > Regards<br>
> > Noel Kuntze<br>
><br>
> > On 13.11.2013 22:18, Luka wrote:<br>
><br>
> > > Traffic counters stays at 0<br>
><br>
> > > ios{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 46 minutes<br>
><br>
</div>> > > ios{2}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>><br>
><br>
><br>
> > > Luka<br>
<div class="im">><br>
><br>
><br>
> > > On Wed, Nov 13, 2013 at 10:15 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> wrote:<br>
><br>
><br>
> > > Hello Luka,<br>
><br>
</div><div class="im">> > > Yes, this is all okay.<br>
> > > Does the traffic counters, you see when you do "ipsec statusall", increase when you try to communicate with your LAN?<br>
><br>
> > > Regards<br>
> > > Noel Kuntze<br>
><br>
> > > On 13.11.2013 22:11, Luka wrote:<br>
> > > > IP forward is enabled. I can't find sysctl command, but following command prints 1(=enabled):<br>
> > > > cat /proc/sys/net/ipv4/ip_forward<br>
> > > > 1<br>
><br>
> > > > Tunnel printed in "ipsec statusall" command looks like this:<br>
><br>
> > > > Security Associations (1 up, 0 connecting):<br>
><br>
> > > > ...<br>
><br>
</div>> > > > ios{1}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>><br>
><br>
><br>
> > > > Is this ok ?<br>
<div class="im">><br>
><br>
><br>
><br>
> > > > On Wed, Nov 13, 2013 at 9:48 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> wrote:<br>
><br>
><br>
> > > > Hello Luka,<br>
><br>
</div><div class="im">> > > > Is IP forwarding activated? if it isn't, then activate it.<br>
> > > > Getting the IP packets from the tunnel to your LAN is probably the problem.<br>
><br>
> > > > Regards<br>
> > > > Noel Kuntze<br>
><br>
> > > > On 13.11.2013 21:27, Luka wrote:<br>
> > > > > Hi Noel.<br>
> > > > > My postrouting chain contains following entries:<br>
><br>
> > > > > Chain POSTROUTING (policy ACCEPT)<br>
><br>
> > > > > target prot opt source destination<br>
><br>
</div>> > > > > MASQUERADE all -- <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> anywhere<br>
><br>
> > > > > MASQUERADE all -- <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> anywhere<br>
><br>
> > > > > MASQUERADE all -- !<a href="http://cpe-86-xx-xxx-xxx.static.xxx.net" target="_blank">cpe-86-xx-xxx-xxx.static.xxx.net</a> <<a href="http://cpe-86-xx-xxx-xxx.static.xxx.net" target="_blank">http://cpe-86-xx-xxx-xxx.static.xxx.net</a>> <<a href="http://cpe-86-xx-xxx-xxx.static.xxx.net" target="_blank">http://cpe-86-xx-xxx-xxx.static.xxx.net</a>> <<a href="http://cpe-86-xx-xxx-xxx.static.xxx.net" target="_blank">http://cpe-86-xx-xxx-xxx.static.xxx.net</a>> <<a href="http://cpe-86-xx-xxx-xxx.static.xxx.net" target="_blank">http://cpe-86-xx-xxx-xxx.static.xxx.net</a>> <<a href="http://cpe-86-xx-xxx-xxx.static.xxx.net" target="_blank">http://cpe-86-xx-xxx-xxx.static.xxx.net</a>> anywhere<br>
<div class="im">><br>
> > > > > MASQUERADE all -- anywhere anywhere MARK match 0xd001<br>
><br>
><br>
> > > > > I've tried to log all packages in different chains (see part of log at bottom) and I didn't find any traces of virtual IP (10.0.0.2), just iPhones wan IP and server wan IP. Is that OK ?<br>
><br>
><br>
> > > > > I've tried:<br>
><br>
> > > > > iptables -I INPUT -j LOG --log-prefix "Luka-log: "<br>
><br>
> > > > > Part of logs(IPs are replaced with "x", 46.x is iPhone IP and 86.x is server external IP):<br>
><br>
</div>> > > > > Nov 13 19:21:34 vpn: + C=SI, O=Lupo, CN=clientLupo <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> == 46.x.x.x -- 86.x.x.x == %any/0<br>
<div class="im">><br>
> > > > > ...<br>
><br>
> > > > > Nov 13 19:22:06 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=25376 PROTO=ESP SPI=0xc1155ce9<br>
><br>
> > > > > ...<br>
><br>
> > > > > Nov 13 19:22:07 kernel: Luka-log: <4>Luka-log: IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=136 TOS=0x00 PREC=0x00 TTL=56 ID=23923 PROTO=ESP SPI=0xc1155ce9<br>
><br>
> > > > > ...<br>
><br>
><br>
><br>
> > > > > iptables -I PREROUTING -j LOG --log-prefix "Luka-log(nat-PREROUTING): " -t nat<br>
><br>
> > > > > Logs:<br>
><br>
> > > > > ...(2 or 3 packages of this type)<br>
><br>
> > > > > Nov 13 20:54:52 kernel: Luka-log(nat-PREROUTING): <4>Luka-log(nat-PREROUTING): IN=eth0 OUT= MAC=30:xx:a9:xx:ef:a0:00:17:10:02:6b:8f:08:00 <1>SRC=46.x.x.x DST=86.x.x.x <1>LEN=696 TOS=0x00 PREC=0x00 TTL=56 ID=58415 PROTO=UDP <1>SPT=500 DPT=500 LEN=676<br>
><br>
> > > > > ...<br>
><br>
><br>
> > > > > iptables -I FORWARD -j LOG --log-prefix "Luka-log(nat-FORWARD): "<br>
><br>
> > > > > Logs: vpn logs not found<br>
><br>
><br>
</div>> > > > > iptables -I POSTROUTING -j LOG --log-prefix "Luka-POSTROUTING-MASQUERADE: " -t nat -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
<div class="im">><br>
> > > > > Logs: vpn logs not found<br>
><br>
><br>
> > > > > Any idea what else should I check ?<br>
><br>
><br>
> > > > > Luka<br>
><br>
><br>
><br>
</div>> > > > > On Sun, Nov 10, 2013 at 5:02 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a><br>
<div class="im"><mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>> wrote:<br>
><br>
><br>
> > > > > Hello Luka,<br>
><br>
</div><div class="im">> > > > > What other rules do you have in the POSTROUTING chain? If any other rule removes the packets from the chain, then they don't reach the MASQUERADE rule and hence<br>
> > > > > won't get masqueraded.<br>
><br>
</div>> > > > > The rule basicly says: If the traffic is going out on the eth0 interface and the source is <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> and the destination ist <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>>, then masquerade it.<br>
<div class="im">> > > > > Masquerade basicly means NAT, but it will replace the source IP of the traffic based on the interface it's going out.<br>
> > > > > No, the parameters that are displayed in the first couple of columns are just filters that restrict traffic going to the target.<br>
> > > > > For further clarification, I recomment you read the manpage for iptables and iptables-extensions (if the latter exists on your system. It does on Arch Linux.).<br>
> > > > > For your setup, I recomment you ommit -o eth0 and INSERT, and not APPEND the rule to the chain.<br>
</div>> > > > > Example: iptables -I POSTROUTING 1 -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> -j MASQUERADE<br>
<div class="im">><br>
> > > > > Regards<br>
> > > > > Noel Kuntze<br>
><br>
> > > > > On 10.11.2013 16:31, Luka wrote:<br>
><br>
> > > > > > Hi Noel.<br>
><br>
> > > > > > Still no luck.<br>
><br>
> > > > > > I’ve added masquerade, following line is added to nat iptable:<br>
><br>
> > > > > > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
> > > > > > …<br>
><br>
</div>> > > > > > 4 0 0 MASQUERADE all -- * eth0 <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
><br>
> > > > > > What exactly does this masquerade record means ? Probably that all packets from <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> network that have any(0.0.0.0) destination will get IP address of eth0 device ?<br>
<div class="im">><br>
> > > > > > But eth0 is device with external IP of server (86.58.x.x) (see ifconfig output below), should I use br0 device here (the one with local IP of router) ?<br>
><br>
><br>
> > > > > > Ok, if I sum up my situation:<br>
><br>
> > > > > > CLIENT(iPhone):<br>
><br>
> > > > > > - I can connect to IPsec(strongswan)<br>
><br>
> > > > > > - gets virtual IP Address: 10.0.0.2<br>
><br>
><br>
> > > > > > SERVER (strongswan v5.0.4, on my router, Linux 2.6.22.19):<br>
><br>
> > > > > > - local IP: 192.168.2.1<br>
><br>
> > > > > > - external IP 86.58.x.x<br>
><br>
> > > > > > ipsec statusall:<br>
><br>
> > > > > > Virtual IP pools (size/online/offline):<br>
><br>
> > > > > > 10.0.0.2 <<a href="http://10.0.0.2" target="_blank">http://10.0.0.2</a>>: 1/1/0<br>
><br>
> > > > > > Listening IP addresses:<br>
><br>
> > > > > > 86.58.x.x<br>
><br>
> > > > > > 192.168.2.1<br>
><br>
><br>
> > > > > > Security Associations (1 up, 0 connecting):<br>
><br>
> > > > > > ios[2]: ESTABLISHED 19 seconds ago, 86.58.x.x[C=SI, O=Lupo, CN=86.58.x.x]…46.123.x.x[C=SI, O=Lupo, CN=clientLupo]<br>
><br>
> > > > > > ios[2]: Remote XAuth identity: lupo<br>
><br>
> > > > > > ios[2]: IKEv1 SPIs: cd789eae5d666586_i 638f1ca174f85726_r*, public key reauthentication in 2 hours<br>
><br>
> > > > > > ios[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br>
><br>
> > > > > > ios{1}: INSTALLED, TUNNEL, ESP SPIs: c7f2d740_i 0829cc4a_o<br>
><br>
> > > > > > ios{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes<br>
><br>
</div>> > > > > > ios{1}: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> === <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" target="_blank">http://10.0.0.2/32</a>><br>
<div class="im">><br>
><br>
> > > > > > iptables:<br>
><br>
> > > > > > This entries are added to FORWARD chain after I connect to server:<br>
><br>
><br>
> > > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> policy match dir in pol ipsec reqid 2 proto 50<br>
><br>
> > > > > > 2 0 0 ACCEPT all -- * eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> 10.0.0.2 policy match dir out pol ipsec reqid 2 proto 50<br>
<div class="im">><br>
><br>
> > > > > > iptables(nat table):<br>
><br>
> > > > > > Chain PREROUTING (policy ACCEPT 4188 packets, 599K bytes)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > 1 1 60 ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1194<br>
><br>
> > > > > > 2 305 54089 VSERVER all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> 86.58.x.x<br>
<div class="im">><br>
><br>
> > > > > > Chain POSTROUTING (policy ACCEPT 2500 packets, 221K bytes)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > 1 0 0 MASQUERADE all -- * tun11 <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > 2 731 46984 MASQUERADE all -- * eth0 !86.58.x.x <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > 3 0 0 MASQUERADE all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> MARK match 0xd001<br>
><br>
> > > > > > 4 0 0 MASQUERADE all -- * eth0 <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > > > > > Chain OUTPUT (policy ACCEPT 2489 packets, 220K bytes)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> > > > > > Chain LOCALSRV (0 references)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> > > > > > Chain VSERVER (1 references)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > 1 1 123 DNAT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1184 to:<a href="http://192.168.2.100:1194" target="_blank">192.168.2.100:1194</a> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>><br>
><br>
> > > > > > 2 0 0 DNAT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:1184 to:<a href="http://192.168.2.100:1194" target="_blank">192.168.2.100:1194</a> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>> <<a href="http://192.168.2.100:1194" target="_blank">http://192.168.2.100:1194</a>><br>
><br>
> > > > > > 3 304 53966 VUPNP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div><div class="h5">><br>
><br>
> > > > > > Chain VUPNP (1 references)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> > > > > > Chain YADNS (0 references)<br>
><br>
> > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
><br>
><br>
> > > > > > ifconfig:<br>
><br>
> > > > > > br0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0<br>
><br>
> > > > > > inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0<br>
><br>
> > > > > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
><br>
> > > > > > RX packets:20577 errors:0 dropped:0 overruns:0 frame:0<br>
><br>
> > > > > > TX packets:16212 errors:0 dropped:0 overruns:0 carrier:0<br>
><br>
> > > > > > collisions:0 txqueuelen:0<br>
><br>
> > > > > > RX bytes:7597057 (7.2 MiB) TX bytes:2892960 (2.7 MiB)<br>
><br>
><br>
> > > > > > eth0 Link encap:Ethernet HWaddr 30:85:A9:E6:EF:A0<br>
><br>
> > > > > > inet addr:86.58.x.x Bcast:86.58.y.y Mask:255.255.255.0<br>
><br>
> > > > > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
><br>
> > > > > > RX packets:665392 errors:0 dropped:0 overruns:0 frame:0<br>
><br>
> > > > > > TX packets:1473423 errors:0 dropped:0 overruns:0 carrier:0<br>
><br>
> > > > > > collisions:0 txqueuelen:1000<br>
><br>
> > > > > > RX bytes:83612848 (79.7 MiB) TX bytes:1996770618 (1.8 GiB)<br>
><br>
> > > > > > Interrupt:4 Base address:0x2000<br>
><br>
> > > > > > ...<br>
><br>
> > > > > > btw, should tunnel, that is created by strongswan, appear in this ifconfig list ?<br>
><br>
><br>
> > > > > > I’m probably missing another piece of puzzle.<br>
><br>
> > > > > > Is there any other log file except strongswan log, that should I examine ?<br>
><br>
><br>
> > > > > > Thanks<br>
><br>
> > > > > > Luka<br>
><br>
><br>
><br>
> > > > > > On Sun, Nov 10, 2013 at 3:38 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a><br>
</div></div><div class="im"><mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>><br>
> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>>> wrote:<br>
><br>
><br>
</div>> > > > > > Sorry, it is "iptables -A POSTROUTING -t nat -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> -o eth0 -j MASQUERADE"<br>
<div class="im">> > > > > > On 10.11.2013 15:05, Noel Kuntze wrote:<br>
><br>
> > > > > > > Hello Luka,<br>
><br>
> > > > > > > You need to masquerade the traffic from your iPhone to the LAN or the internet.<br>
> > > > > > > You do this with either the MASQUERADE or the SNAT target in iptables.<br>
</div>> > > > > > > Example: iptables -A FORWARD -t nat -s <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> -o eth0 -j MASQUERADE<br>
<div class="im">><br>
> > > > > > > Regards<br>
> > > > > > > Noel Kuntze<br>
><br>
> > > > > > > On 10.11.2013 11:50, Luka wrote:<br>
> > > > > > > > Hi.<br>
> > > > > > > > I've found way to fix that error: "iptables: No chain/target/match by that name" by executing command:<br>
><br>
> > > > > > > > insmod xt_policy<br>
><br>
><br>
> > > > > > > > Now when I connect, iPhone gets IP 10.0.0.2 and following policy is added to FORWARD chain:<br>
><br>
> > > > > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> > > > > > > > num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > > > 1 0 0 ACCEPT all -- eth0 * 10.0.0.2 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> policy match dir in pol ipsec reqid 1 proto 50<br>
><br>
> > > > > > > > 2 0 0 ACCEPT all -- * eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> 10.0.0.2 policy match dir out pol ipsec reqid 1 proto 50<br>
<div class="im">><br>
><br>
> > > > > > > > I'm using config:<br>
><br>
> > > > > > > > conn %default<br>
><br>
> > > > > > > > keyexchange=ikev1 Read the manpage for it<br>
><br>
> > > > > > > > authby=xauthrsasig<br>
><br>
> > > > > > > > xauth=server<br>
><br>
><br>
><br>
> > > > > > > > #leftid = subject alt. name (v certifikatu)<br>
><br>
> > > > > > > > conn ios<br>
><br>
> > > > > > > > left=%defaultroute<br>
><br>
</div>> > > > > > > > leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > > leftcert=serverCert.pem<br>
><br>
> > > > > > > > leftfirewall=yes<br>
><br>
> > > > > > > But I still can't access my LAN (<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.<br>
<div class="im">><br>
> > > > > > > I've no idea what else should I try. I give up.<br>
><br>
> > > > > > > > right=%any<br>
><br>
</div>> > > > > > > > rightsubnet=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" target="_blank">http://10.0.0.0/24</a>><br>
><br>
> > > > > > > > rightsourceip=10.0.0.2<br>
><br>
> > > > > > > > auto=add<br>
><br>
> > > > > > > > rightcert=clientCert.pem<br>
><br>
><br>
><br>
> > > > > > > > But I still can't access my LAN (<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>>) or ping router 192.168.2.1 or ping phone virtual IP 10.0.0.2.<br>
<div class="im">><br>
> > > > > > > > I've no idea what else should I try. I give up.<br>
><br>
><br>
> > > > > > > > L<br>
><br>
><br>
><br>
><br>
> > > > > > > > On Thu, Nov 7, 2013 at 11:05 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a><br>
<mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>><br>
</div><div class="im">> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>><br>
<mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>><br>
> > <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>>>> wrote:<br>
><br>
><br>
> > > > > > > > Hello Luka,<br>
><br>
</div><div class="im">> > > > > > > > I actually meant the config which you created after I sent you that link [1].<br>
> > > > > > > > I don't know exactly why there are retransmits happening, but in general, the setup should work.<br>
><br>
> > > > > > > > [1] <a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
><br>
> > > > > > > > Regards<br>
> > > > > > > > Noel Kuntze<br>
><br>
> > > > > > > > On 07.11.2013 23:03, Luka wrote:<br>
> > > > > > > >> Ok I've switched back to following configuration and I can connect to VPN again (back to beginning, can connect but can't access LAN behind VPN):<br>
><br>
> > > > > > > >> conn %default<br>
><br>
> > > > > > > >> keyexchange=ikev1<br>
><br>
> > > > > > > >> authby=xauthrsasig<br>
><br>
> > > > > > > >> xauth=server<br>
><br>
><br>
><br>
> > > > > > > >> conn ios<br>
><br>
> > > > > > > >> left=86.xx.xx.x35<br>
><br>
> > > > > > > >> leftcert=serverLupoCert.pem<br>
><br>
</div>> > > > > > > >> leftsubnet=<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>> <<a href="http://192.168.2.0/24" target="_blank">http://192.168.2.0/24</a>><br>
<div class="im">><br>
> > > > > > > >> leftfirewall=yes<br>
><br>
> > > > > > > >> right=%any<br>
><br>
> > > > > > > >> rightsourceip=10.3.0.1<br>
><br>
> > > > > > > >> auto=add<br>
><br>
> > > > > > > >> rightcert=clientLupoCert.pem<br>
><br>
><br>
> > > > > > > >> Do I have to put server's WAN Ip address for "left" or local IP ?<br>
><br>
> > > > > > > >> Configuration is simmilar to this one:<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/index.html</a>.<br>
> > > > > > > >> I've checked iptables -L command on that site <<a href="http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables" target="_blank">http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-config/moon.iptables</a>> and compared it with mine.<br>
> > > > > > > >> It looks like mine is missing some forwarding rules.<br>
> > > > > > > >> Mine:<br>
><br>
> > > > > > > >> iptables -L -v -n --line-numbers<br>
><br>
> > > > > > > >> Chain INPUT (policy ACCEPT 109K packets, 9709K bytes)<a href="http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br>
><br>
> > > > > > > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > > >> 1 236 31088 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > >> 2 0 0 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:4500<br>
><br>
> > > > > > > >> 3 196 68288 ACCEPT udp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> udp dpt:500<br>
><br>
> > > > > > > >> 4 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > >> 5 1138 105K ACCEPT tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> tcp dpt:1194<br>
><br>
> > > > > > > >> 6 0 0 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > > > > > > >> Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
><br>
> > > > > > > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > > >> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > >> 2 0 0 ACCEPT all -- tun21 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > >> 3 5 344 ACCEPT all -- tun11 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > >> 4 22028 1928K ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state RELATED,ESTABLISHED<br>
><br>
> > > > > > > >> 5 0 0 logdrop all -- !br0 eth0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > >> 6 28 1432 logdrop all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state INVALID<br>
><br>
> > > > > > > >> 7 0 0 ACCEPT all -- br0 br0 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
><br>
> > > > > > > >> 8 1344 80640 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> ctstate DNAT<br>
><br>
> > > > > > > >> 9 32811 2190K ACCEPT all -- br0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > > > > > > >> Chain OUTPUT (policy ACCEPT 109K packets, 19M bytes)<br>
><br>
> > > > > > > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > > >> 1 0 0 ACCEPT esp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > > > > > > >> Chain FUPNP (0 references)<br>
><br>
> > > > > > > >> num pkts bytes target prot opt in out source destination<br>
><br>
><br>
> > > > > > > >> Chain PControls (0 references)<br>
><br>
> > > > > > > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > > >> 1 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > > > > > > >> Chain logaccept (0 references)<br>
><br>
> > > > > > > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > > >> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `ACCEPT '<br>
><br>
> > > > > > > >> 2 0 0 ACCEPT all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > > > > > > >> Chain logdrop (2 references)<br>
><br>
> > > > > > > >> num pkts bytes target prot opt in out source destination<br>
><br>
</div>> > > > > > > >> 1 0 0 LOG all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> state NEW LOG flags 7 level 4 prefix `DROP'<br>
><br>
> > > > > > > >> 2 28 1432 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a>><br>
<div class="im">><br>
><br>
> > > > > > > >> If I understand "leftfirewall=yes" command, it should put those rules into iptables.<br>
><br>
> > > > > > > >> I've checked charon log file and found this error:<br>
><br>
> > > > > > > >> cat strongswancharon.log | grep iptables<br>
><br>
> > > > > > > >> Nov 7 22:59:06 11[CFG] leftupdown=ipsec _updown iptables<br>
><br>
> > > > > > > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
> > > > > > > >> Nov 7 22:59:26 12[CHD] updown: iptables: No chain/target/match by that name<br>
><br>
><br>
> > > > > > > >> Am I missing some modules here or something ?<br>
><br>
> > > > > > > >> How can I get/log those commands for iptables, that strongswan executes ?<br>
><br>
><br>
> > > > > > > >> Thanks.<br>
><br>
><br>
><br>
> > > > > > > >> On Thu, Nov 7, 2013 at 6:25 PM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a><br>
<mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>><br>
> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>><br>
<mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>><br>
</div>> > <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>><br>
<div><div class="h5"><mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>><br>
> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a><br>
<mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>><br>
> > > <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>>>>>>>> wrote:<br>
><br>
><br>
> > > > > > > >> Hello Luka,<br>
><br>
> > > > > > > >> Your former configuration worked just fine. The problem was with the network or similiar. It had nothing to do with strongSwan.<br>
><br>
> > > > > > > >> Regards<br>
> > > > > > > >> Noel Kuntze<br>
><br>
> > > > > > > >> On 07.11.2013 10:51, Luka wrote:<br>
> > > > > > > >>> Now I've tried to load modules by hand. I've added following line to strongswan.conf:<br>
> > > > > > > >>> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve attr farp xauth-generic<br>
><br>
> > > > > > > >>> And if I check charon logs, it looks like it connects and then immediately disconnects from vpn.<br>
> > > > > > > >>> Here are interesting lines from log file, (I connect with iphone and get "Negotiation with the VPN server failed":<br>
><br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:31:12 14[CFG] id '<server.wan.ip>' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=clientLupo'<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:31:12 14[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Hlupo, CN=<server.wan.ip>'<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:31:12 14[CFG] left is other host, swapping ends<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:13:55 04[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:13:56 05[IKE] remote host is behind NAT<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:13:57 11[IKE] XAuth authentication of 'lupo' successful<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:13:57 12[IKE] IKE_SA ios[1] state change: CONNECTING => ESTABLISHED<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:13:57 12[IKE] peer requested virtual IP %any<br>
> > > > > > > >>> Nov 7 10:13:57 12[IKE] no virtual IP found for %any requested by 'lupo'<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:14:13 05[ENC] parsing HASH_V1 payload finished<br>
> > > > > > > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload, 40 bytes left<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:14:13 05[ENC] parsing DELETE_V1 payload finished<br>
> > > > > > > >>> ...<br>
> > > > > > > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: ESTABLISHED => DELETING<br>
> > > > > > > >>> Nov 7 10:14:13 05[MGR] checkin and destroy IKE_SA ios[1]<br>
> > > > > > > >>> Nov 7 10:14:13 05[IKE] IKE_SA ios[1] state change: DELETING => DESTROYING<br>
> > > > > > > >>> Nov 7 10:14:13 05[MGR] check-in and destroy of IKE_SA successful<br>
> > > > > > > >>> Nov 7 10:14:13 02[NET] waiting for data on sockets<br>
> > > > > > > >>> Nov 7 10:14:25 15[JOB] got event, queuing job for execution<br>
> > > > > > > >>> Nov 7 10:14:25 15[JOB] next event in 9732s 760ms, waiting<br>
> > > > > > > >>> Nov 7 10:14:25 06[MGR] checkout IKE_SA<br>
><br>
> > > > > > > >>> Should I put something else instead of "right=%any" ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > > > > > _______________________________________________<br>
> > > > > > > Users mailing list<br>
</div></div>> > > > > > > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>>>>>>><br>
<div class="im">> > > > > > > <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQIcBAEBCAAGBQJShSDQAAoJEDg5KY9j7GZY03oP/3J5bOwPGG9pduuHvG3+V+RS<br>
TYnXaWEzkcx1+FLUi4NjU2D8JplGcDaLZQcwFJ6d3V7Q6cudMYzekchohyvakdXS<br>
7ZW6dnMoLgniVupONouKcar6wBoX4DS4HKMVtg+lHpR9CfpJeBlAfhqYvJuTAAeu<br>
F2dpfCru5Z+Vhx2F74THy6Llt8CkSjJjjsdVymEpRTd8Q52t7tCzjHOiAGvE4V+O<br>
qUU3LQyS9M5a60sv4yLQIrenoTRlzUtlVtWsQaA2jyqjq3WdL3FZVeIP5mUOeiQ5<br>
Y5VmlNzzR6KJ/EObaWhRi7JFZDhsnXh/Rb4jkNRM0yjGvnXsW9Ad4QPu+2/ruDY3<br>
bgLbSRwJXqWvTisbQG6HZd4yDfdDfDkDzX/cMAUvpA+mI8MofJGc6ttIVQmkD7jc<br>
ePwdWEU0qcBzrPR6dJm5ctz+dNgzPkKhKzcPJnAEfaqmzP4dvRobUVHQVjClKxp+<br>
z9Hs6kRSOfgffkCa+49kfP5W7ZDjySDu0DPa0ipUeMU67HXLgWJPamOhFsurQtRX<br>
0BJ3SnDoXi/SI9sjpsP+ipvX6/lfM4q5EiYpEdkKAUb8psKHcb0En3bMs7tRaYAz<br>
mqkxbJt6h1H4EfEXccn9ryDFC+82QPEGk7LqgYrFJkDdQKvGeVhqOV7ogNejtzAf<br>
9NctW6pYSwpBO117528s<br>
=CcuR<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
</blockquote></div><br></div>