<div dir="ltr">Hi<div><br></div><div>I'm having troubles getting packages routed over the tunnel. It seems like that the iptables rules are somewhat purged, they reenter if i rebuild the tunnel. but that dosn't help the routing issue.</div>
<div><br></div><div>traceroute to 192.168.3.1 (192.168.3.1), 30 hops max, 60 byte packets<br></div><div><div> 1 10.66.55.18 (10.66.55.18) 43.438 ms 53.529 ms 53.742 ms</div><div> 2 10.66.55.17 (10.66.55.17) 53.857 ms 63.536 ms 63.482 ms^C</div>
</div><div><br></div><div>root@b3:~# ipsec version<br></div><div><div><div>Linux strongSwan U4.4.1/K2.6.39.4-11</div><div>Institute for Internet Technologies and Applications</div><div>University of Applied Sciences Rapperswil, Switzerland</div>
<div>See 'ipsec --copyright' for copyright information.</div><div><br></div><div>root@b3:~# ipsec status net-net</div><div>000 "net-net": <a href="http://192.168.10.0/24===109.56.142.204[hoest.myownb3.com]...5.103.136.156[192.168.3.1]===192.168.3.0/24">192.168.10.0/24===109.56.142.204[hoest.myownb3.com]...5.103.136.156[192.168.3.1]===192.168.3.0/24</a>; erouted; eroute owner: #4</div>
<div>000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;</div><div>000</div><div>000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2246s; newest IPSEC; eroute owner</div>
<div>000 #4: "net-net" <a href="mailto:esp.f755325f@5.103.136.156">esp.f755325f@5.103.136.156</a> (0 bytes) <a href="mailto:esp.2c39870c@109.56.142.204">esp.2c39870c@109.56.142.204</a> (0 bytes); tunnel</div><div>
000 #3: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2164s; newest ISAKMP</div><div>000</div><div><br></div><div>root@b3:~# iptables -L -v</div><div>Chain INPUT (policy DROP 0 packets, 0 bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset</div>
<div> 0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW</div><div> 93 6801 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED</div>
<div> 0 0 ACCEPT all -- br0 any anywhere anywhere</div><div> 0 0 ACCEPT all -- lo any anywhere anywhere</div><div> 0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded</div>
<div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div><div> 0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh</div>
<div> 0 0 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:isakmp</div><div> 0 0 ACCEPT esp -- eth0 any anywhere anywhere</div><div><br></div><div>Chain FORWARD (policy DROP 0 packets, 0 bytes)</div>
<div> pkts bytes target prot opt in out source destination</div><div> 0 0 ACCEPT all -- br0 any anywhere anywhere</div><div> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED</div>
<div> 0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed</div><div><br></div><div>Chain OUTPUT (policy ACCEPT 93 packets, 13864 bytes)</div><div> pkts bytes target prot opt in out source destination</div>
<div> 0 0 ACCEPT esp -- any eth0 anywhere anywhere</div><div>root@b3:~#</div></div><div><br></div></div><div><br></div><div><br></div><div>Any thoughts ?</div><div><br></div><div>Wkr. </div>
<div>Svend</div></div>