<html><head></head><body>Fix your NAT rules.<br><br><div class="gmail_quote">Am 30. April 2017 12:28:48 MESZ schrieb Dusan Ilic <dusan@comhem.se>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Okey, so I found info about adding a "passthrough" connection for my <br />local LAN. I have done this now and when i start the connection the <br />network connection isn't cut off, however, it seems like my internet <br />traffic i still using my local gateway (browsed to a check my ip-page). <br />I can however still ping the remote network.<br /><br />Here is my tabel 220<br /><br /># ip route show table 220<br /><a href="http://10.1.1.0/26">10.1.1.0/26</a> dev br0 proto static src <a href="http://10.1.1.1">10.1.1.1</a> # LAN passthrough?<br />default via 85.24.x.x dev vlan847 proto static src <a href="http://10.1.1.1">10.1.1.1</a><br /><br />So instead of a route to <a href="http://192.168.1.0/24">192.168.1.0/24</a> a default route is added, but it <br />looks like it doesn't go through the tunnel... traffic to <a href="http://192.168.1.0/24">192.168.1.0/24</a> <br />do get tunneled still though.<br /><br />Den 2017-04-30 kl. 11:59, skrev Dusan Ilic:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> Hello again,<br /><br /> It worked with the hack! Thank you!<br /><br /> Last question (hopefully! :P)), if I would like to use the remote <br /> endpoint to route *all* traffic over the vpn, is below the correct way?<br /><br /> I have changed rightsubnet locally to 0.0.0.0/0 and leftsubnet <br /> remotely to 0.0.0.0/0, I have also added NAT on the remote router for <br /> the local subnet on the local endpoint, and finally I have added the <br /> local subnet to table 220 on the local router. I have also replaced <br /> the Iptable forward rule on local endpoint with 0.0.0.0/0 instead of <br /> only the remote subnet.<br /><br /> However, when I up the connection on the local router in a couple of <br /> seconds my SSH connection stops responding, and I cannot reach the <br /> local gateway or internet any longer. I have to reboot the local <br /> router to get access again.<br /> Is this familiar to you? What could be happening here?<br /><br /><br /> Den 2017-04-29 kl. 18:44, skrev Noel Kuntze:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"> Hello Dusan,<br /><br /> On 29.04.2017 18:34, Dusan Ilic wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"> It works! I found a hidden setting under Phase 1 in Fortigate where <br /> i could add the local ID. Added it's dynamic dns hostname and now it <br /> connects.<br /></blockquote> Great!<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"> However, I still have issues with another endpoint I'm testing. My <br /> local endpoint have Strongswan 5.5.1 and the remote endpoint have <br /> 4.5.2. Would that present any issues or incompatibilites? <br /> Unfortunately it's not possible to upgrade the remote endpoint <br /> (Strongswan).<br /></blockquote> Pluto resolves IDs that are FQDNs. I think there was a hack, where <br /> you add the at-character in front of the FQDN in the ID settings and <br /> that stops it from doing that.<br /> Might apply to charon, too in such a low version number. Try the hack.<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"> I tried below, per your suggestion<br /><br /> left=%local.example<br /> leftid=local.example<br /> right=%remote.example<br /> rightid=remote.example<br /><br /> remote.example : PSK "PSKGOESHERE"<br /><br /> Log when local sides initiates connection:<br /> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br /> received AUTHENTICATION_FAILED notify error<br /></blockquote> You need to read the remote logs when the remote side sends you an <br /> error message.<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"> Log when remote side initiates connection:<br /> Apr 29 16:32:20 R6250 <a href="http://daemon.info">daemon.info</a> charon: 10[CFG] looking for peer <br /> configs matching 85.24.x.x[85.24.x.x]...94.254.x.x[94.254.x.x]<br /> Apr 29 16:32:20 R6250 <a href="http://daemon.info">daemon.info</a> charon: 10[CFG] no matching peer <br /> config found<br /><br /> It looks like the same issue, the remote endpoint doesnt send the <br /> configured ID?<br /></blockquote> Yes.<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;"> And another question, when using dynamic hostnames instead of IP's <br /> as "right", how often does Strongswan make a new DNS-lookup? How <br /> does Strongswan handle the situation where let's say the remote <br /> endpoint suddenly receives a new IP? Or if the local side receives a <br /> new IP during established connection?<br /></blockquote> strongSwan does a DNS lookup whenever it tries to select a <br /> configuration. Well, depends on if mobike is used or no and if the <br /> peer who's IP changed can't send any traffic anymore.<br /><br /> Mobike and connectivity: IKE_SA and CHILD_SAs are migrated<br /> No mobike and connectivity: Don't know. Maybe a new IKE_SA is <br /> negotiated, because the one peer knows the local address has vanished <br /> (and the CHILD_SAs migrated?).<br /> No mobike and no connectivity: Timeout, if DPD is used. Otherwise the <br /> IKE_SA and CHILD_SAs remain until the remote peer connects again.<br /> Mobike and no connectivity: Timeout, if DPD is used. Otherwise the <br /> IKE_SA and CHILD_SAs remain until the remote peer connects again.<br /><br /> Kind regards,<br /> Noel</blockquote><br /><br /><br /><hr /><br /> Users mailing list<br /> Users@lists.strongswan.org<br /> <a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br /></blockquote><br /></pre></blockquote></div><br>
Sent from mobile</body></html>