<div dir="ltr">I am attempting to set up a strongswan connection between my home's redhat linux router and my work's redhat linux router. Both are running Redhat 8 and have the strongswan binaries installed from <a href="https://pkgs.org/download/strongswan" target="_blank">https://pkgs.org/download/strongswan</a>.<br><br>The connection appears to be successful but I cannot talk to anything on either side of the connection, e.g. I cannot ping either router or any machines on either side of the connection. I have set up the iptables postrouting rules per the wiki. <div><br></div><div>Might someone give me a clue figuring out where else I should look to get it working?</div><div><br></div><div>Thank you.<br><br><br>WorkRouter swanctl.conf:<br><br>connections {<br> homenet {<br>  version=2<br>  local_addrs=WORK.PUBLIC.IP.ADDRESS<br>  proposals=aes256-sha1-modp1024<br>  remote_addrs=HOME.PUBLIC.IP.ADDRESS<br>  children {<br>   homenet {<br>    esp_proposals=aes256-sha1<br>    remote_ts=<a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a><br>    local_ts=<a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a><br>   }<br>  }<br> }<br>}<br><br>HomeRouter swanctl.conf:<br><br>worknet {<br> version=2<br> local_addrs=HOME.PUBLIC.IP.ADDRESS<br> proposals=aes256-sha1-modp1024<br> remote_addrs=WORK.PUBLIC.IP.ADDRESS<br> children {<br>  worknet {<br>   esp_proposals=aes256-sha1<br>   local_ts=<a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a><br>   remote_ts=<a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a><br>  }<br> }<br>}<br><br>HomeRouter initiating connection:<br><br>swanctl --initiate --ike worknet --child worknet<br><br>[IKE] initiating IKE_SA worknet[4] to WORK.PUBLIC.IP.ADDRESS<br>[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>[NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[500] to WORK.PUBLIC.IP.ADDRESS[500] (336 bytes)<br>[NET] received packet: from WORK.PUBLIC.IP.ADDRESS[500] to HOME.PUBLIC.IP.ADDRESS[500] (344 bytes)<br>[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]<br>[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>[CFG] no IDi configured, fall back on IP address<br>[IKE] authentication of 'HOME.PUBLIC.IP.ADDRESS' (myself) with pre-shared key<br>[IKE] establishing CHILD_SA worknet{1}<br>[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]<br>[NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[4500] to WORK.PUBLIC.IP.ADDRESS[4500] (348 bytes)<br>[NET] received packet: from WORK.PUBLIC.IP.ADDRESS[4500] to HOME.PUBLIC.IP.ADDRESS[4500] (236 bytes)<br>[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]<br>[IKE] authentication of 'WORK.PUBLIC.IP.ADDRESS' with pre-shared key successful<br>[IKE] IKE_SA worknet[4] established between HOME.PUBLIC.IP.ADDRESS[HOME.PUBLIC.IP.ADDRESS]...WORK.PUBLIC.IP.ADDRESS[WORK.PUBLIC.IP.ADDRESS]<br>[IKE] scheduling rekeying in 13339s<br>[IKE] maximum IKE_SA lifetime 14779s<br>[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ<br>[IKE] CHILD_SA worknet{1} established with SPIs cfd5d0fa_i c4358b01_o and TS <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> === <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a><br>[IKE] peer supports MOBIKE<br>initiate completed successfully<br><br><br>HomeRouter ip xfrm state:<br><br>src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS<br>        proto esp spi 0xc4358b01 reqid 1 mode tunnel<br>        replay-window 0 flag af-unspec<br>        auth-trunc hmac(sha1) 0x8d6abe2f321b228663e9c88799dc3d9c78e891a7 96<br>        enc cbc(aes) 0xb3820a34e1bf3f4cb4cb634a4ba9aeeaca17519bd7e323f35ff4726cc09c1c54<br>        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS<br>        proto esp spi 0xcfd5d0fa reqid 1 mode tunnel<br>        replay-window 32 flag af-unspec<br>        auth-trunc hmac(sha1) 0x844dfdb29f581e317dad43b0c4a893669b1fa38a 96<br>        enc cbc(aes) 0x130f8dc4bb5b4fd7eec13a595a45883a4b3c7d38b2a2fd0a0db635e9202e8aba<br>        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br><br>HomeRouter ip xfrm policy:<br><br>src <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> dst <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a><br>        dir out priority 375423 ptype main<br>        tmpl src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS<br>                proto esp spi 0xc4358b01 reqid 1 mode tunnel<br>src <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> dst <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a><br>        dir fwd priority 375423 ptype main<br>        tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS<br>                proto esp reqid 1 mode tunnel<br>src <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> dst <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a><br>        dir in priority 375423 ptype main<br>        tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS<br>                proto esp reqid 1 mode tunnel</div></div>