[strongSwan] Net2net and ip policy
Makai Zsolt
Makai.Zsolt at etv.hu
Thu Jun 3 15:14:13 CEST 2010
Hi,
Sorry, I found it! It is working...
An iptables command was left, which is prohibited!
Thank you!
Zsolt
-----Original Message-----
From: users-bounces+makai.zsolt=etv.hu at lists.strongswan.org
[mailto:users-bounces+makai.zsolt=etv.hu at lists.strongswan.org] On Behalf
Of Makai Zsolt
Sent: Thursday, June 03, 2010 1:12 PM
To: users at lists.strongswan.org
Subject: [strongSwan] Net2net and ip policy
Hi,
Please, help me! I have got two strongswan servers and the
connection is ok. I must put a router between "left" and "leftsubnet":
Before:
192.168.100.0/22===x.x.x.186---x.x.x.230===192.168.11.0/24
Now: 192.168.100.0/22==={router
192.168.100.254-x.x.x.185}===x.x.x.186---x.x.x.230===192.168.11.0/24
Ipsec.conf:
config setup
plutodebug=control
charonstart=no
conn %default
left=%defaultroute
leftsubnet=192.168.100.0/22
conn paks
right=x.x.x.230
rightsubnet=192.168.11.0/24
authby=secret
auth=esp
auto=add
Ip xfrm policy:
src 192.168.100.0/22 dst 192.168.11.0/24
dir out priority 2408 ptype main
tmpl src x.x.x.186 dst x.x.x.230
proto esp reqid 16385 mode tunnel
src 192.168.11.0/24 dst 192.168.100.0/22
dir fwd priority 2408 ptype main
tmpl src x.x.x.230 dst x.x.x.186
proto esp reqid 16385 mode tunnel
src 192.168.11.0/24 dst 192.168.100.0/22
dir in priority 2408 ptype main
tmpl src x.x.x.230 dst x.x.x.186
proto esp reqid 16385 mode tunnel
Route:
192.168.100.0 x.x.x.185 255.255.252.0 UG 0 0
0 eth1
0.0.0.0 x.x.x.180 0.0.0.0 UG 0 0
0 eth1
The vpn tunnel has been established, of course, but the ping
from 192.168.100.2 to 192.168.11.3 has been failed.
Tcpdump:
12:45:51.760782 IP 192.168.100.2 > 192.168.11.3: ICMP echo
request, id 512, seq 15360, length 40
12:45:51.760931 IP x.x.x.186.euroweb.hu > 192.168.100.2: ICMP
host 192.168.11.3 unreachable - admin prohibited, length 68
The ipsec.conf i did not change. I removed the direct network
connection to 192.168.100.0/22 from the "left" server and i rewrote it
the routing table. What it is necessary to do yet, that allowing let the
route be?
Thank you,
Zsolt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100603/26ecde3f/attachment.html>
More information about the Users
mailing list