<div dir="ltr">on client: <br><div>netstat -nr<br>Kernel IP routing table<br>Destination Gateway Genmask Flags MSS Window irtt Iface<br>0.0.0.0 192.168.88.1 0.0.0.0 UG 0 0 0 wlan0<br>192.168.87.0 192.168.89.1 255.255.255.255 UGH 0 0 0 br-lan<br>192.168.88.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0<br>192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan<br>root@YesRouter:~# iptables -nL<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination<br>delegate_input all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain FORWARD (policy DROP)<br>target prot opt source destination<br>ACCEPT all -- <a href="http://192.168.87.0/24">192.168.87.0/24</a> <a href="http://192.168.89.0/24">192.168.89.0/24</a> policy match dir i n pol ipsec reqid 1 proto 50<br>ACCEPT all -- <a href="http://192.168.89.0/24">192.168.89.0/24</a> <a href="http://192.168.87.0/24">192.168.87.0/24</a> policy match dir o ut pol ipsec reqid 1 proto 50<br>delegate_forward all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination<br>delegate_output all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain delegate_forward (1 references)<br>target prot opt source destination<br>forwarding_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chai n for forwarding */<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ES TABLISHED<br>zone_lan_forward all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>zone_wan_forward all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>reject all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain delegate_input (1 references)<br>target prot opt source destination<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>input_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chain for input */<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ES TABLISHED<br>syn_flood tcp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp flags:0x17/0x0 2<br>zone_lan_input all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>zone_wan_input all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain delegate_output (1 references)<br>target prot opt source destination<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>output_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chain fo r output */<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate RELATED,ES TABLISHED<br>zone_lan_output all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>zone_wan_output all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain forwarding_lan_rule (1 references)<br>target prot opt source destination<br><br>Chain forwarding_rule (1 references)<br>target prot opt source destination<br><br>Chain forwarding_wan_rule (1 references)<br>target prot opt source destination<br><br>Chain input_lan_rule (1 references)<br>target prot opt source destination<br><br>Chain input_rule (1 references)<br>target prot opt source destination<br><br>Chain input_wan_rule (1 references)<br>target prot opt source destination<br><br>Chain output_lan_rule (1 references)<br>target prot opt source destination<br><br>Chain output_rule (1 references)<br>target prot opt source destination<br><br>Chain output_wan_rule (1 references)<br>target prot opt source destination<br><br>Chain reject (1 references)<br>target prot opt source destination<br>REJECT tcp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with tcp-re set<br>REJECT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-p ort-unreachable<br><br>Chain syn_flood (1 references)<br>target prot opt source destination<br>RETURN tcp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp flags:0x17/0x0 2 limit: avg 25/sec burst 50<br>DROP all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_lan_dest_ACCEPT (2 references)<br>target prot opt source destination<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_lan_forward (1 references)<br>target prot opt source destination<br>forwarding_lan_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chain for forwarding */<br>zone_wan_dest_ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* forw arding lan -> wan */<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate DNAT /* Ac cept port forwards */<br>zone_lan_dest_ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_lan_input (1 references)<br>target prot opt source destination<br>input_lan_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chain for input */<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate DNAT /* Ac cept port redirections */<br>zone_lan_src_ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_lan_output (1 references)<br>target prot opt source destination<br>output_lan_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chai n for output */<br>zone_lan_dest_ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_lan_src_ACCEPT (1 references)<br>target prot opt source destination<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_wan_dest_ACCEPT (3 references)<br>target prot opt source destination<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_wan_forward (1 references)<br>target prot opt source destination<br>forwarding_wan_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chain for forwarding */<br>ACCEPT icmp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> icmptype 8 /* Allo w-Ping */<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate DNAT /* Ac cept port forwards */<br>zone_wan_dest_ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_wan_input (1 references)<br>target prot opt source destination<br>input_wan_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chain for input */<br>ACCEPT udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:68 /* Allo w-DHCP-Renew */<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> ctstate DNAT /* Ac cept port redirections */<br>zone_wan_src_ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_wan_output (1 references)<br>target prot opt source destination<br>output_wan_rule all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> /* user chai n for output */<br>zone_wan_dest_ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>Chain zone_wan_src_ACCEPT (1 references)<br>target prot opt source destination<br>ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 8, 2014 at 7:24 AM, Eric Zhang <span dir="ltr"><<a href="mailto:debiansid@gmail.com" target="_blank">debiansid@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This iptables rule should me on both sides of strongswan gateway and client?<br>
<br>
<br>
Sent from Mobile<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
> On 2014年12月8日, at 02:18, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> wrote:<br>
><br>
><br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA256<br>
><br>
> Hello Eric,<br>
><br>
> Please check if any iptables rules are dropping the packets. Also, please make sure any SNAT<br>
> or MASQUERADE rule does not match the traffic that is to be tunneled.<br>
><br>
> You can do that using the "policy" match module in iptables.<br>
> The following MASQUERADE rule matches all traffic except IPsec traffic<br>
><br>
> iptables -t nat -A POSTROUTING -o eth0 -m policy --pol none --dir out -j MASQUERADE<br>
><br>
> Mit freundlichen Grüßen/Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
><br>
>> Am 07.12.2014 um 13:30 schrieb Eric Y. Zhang:<br>
>> Hi all<br>
>> I need to setup an IPSec tunnel to my VPS which only has one public IP.<br>
>> so I add eth0.1 <a href="http://192.168.87.1/24" target="_blank">192.168.87.1/24</a> <<a href="http://192.168.87.1/24" target="_blank">http://192.168.87.1/24</a>>, and follow the steps on <a href="http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/" target="_blank">http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/</a>; and I can see ipsec tunnel is up on both sides.<br>
>><br>
>> unabove[7]: ESTABLISHED 39 minutes ago, 192.168.88.101[user1]...192.99.70.158[192.99.xx.xx]<br>
>> runabove{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7f24174_i c2289fb5_o<br>
>> runabove{1}: <a href="http://192.168.88.0/24" target="_blank">192.168.88.0/24</a> <<a href="http://192.168.88.0/24" target="_blank">http://192.168.88.0/24</a>> === <a href="http://192.168.87.0/24" target="_blank">192.168.87.0/24</a> <<a href="http://192.168.87.0/24" target="_blank">http://192.168.87.0/24</a>><br>
>><br>
>> but I can not ping 192.168.87.1 from my side(which is strongswan on openwrt)<br>
>><br>
>> any help would be appreciated<br>
>><br>
>><br>
>><br>
>> --<br>
>> Life is harsh<br>
>><br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
> -----BEGIN PGP SIGNATURE-----<br>
> Version: GnuPG v2<br>
><br>
> iQIcBAEBCAAGBQJUhJoMAAoJEDg5KY9j7GZYjlAP/izs4iLIFDBLCdt+blwmhRO8<br>
> ZsdxZBRkHVuT24iT+EVNr5E5y3rXqpEIdYVbd7rn7Q/itoAD7WyxDc85q1Y26JXE<br>
> Bg0E1FwdXc3Z4SU2+xsNBho2VKYRkft0twlDNGYIo3YyZlBMpOeD8lEPhwwJkKzX<br>
> 9V/pCO3wSb9vUyF/AxvxQKjFJM52Bn2OSA6TStiX8Ube8Tj4HfFlIYmVe2fHu2Vh<br>
> vUu6d7+YPDwGizxZX50kD590+ljpLfxlo7LV5dbBhIkWTBHCBAWgs6eo8u6Wr/zf<br>
> IwfxLexU+M+RE6pcSKiU+ry6nSJD99JDVVQN7d5AHdM4u4Mv5AKm7+8NA3XUHM6Q<br>
> rPb6g9mR2+0uaV7jUTII7Xr7fxBVLmQWgVmiNMIgLlzZauD346zAiIUycGn0U27t<br>
> pc5Xxsg+1tr00/4p/82nCQOh8StbSfTDO22sIL/gOhOCfm3fLg3jbsTq6eDSTQUb<br>
> +dc2++jKcsK6NGNm2Hm26eP+ncSi30ISnEgCCh/k71XVMOkEuTRzhXeiC3g+qL/C<br>
> LblRzRsN9oKLYvZXomqvl8Eihxy9AIXzD9eJ58EUNRRnF0AfM4qBfX3IkhWaUFrW<br>
> T6q+u4cB8Y427Gzwd5DZIuqbCdwaaaep7UCpkAsBow4lB+h8SmRSwx8LEFNj7qsW<br>
> Lz7dEj5nP8HThugVGSDd<br>
> =nSzv<br>
> -----END PGP SIGNATURE-----<br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Life is harsh<div></div><div></div></div></div>
</div>