[strongSwan] Net2net and ip policy

Makai Zsolt Makai.Zsolt at etv.hu
Thu Jun 3 15:14:13 CEST 2010


Hi,
 
Sorry, I found it! It is working...
 
An iptables command was left, which is prohibited!
 
Thank you!
Zsolt

	-----Original Message-----
	From: users-bounces+makai.zsolt=etv.hu at lists.strongswan.org
[mailto:users-bounces+makai.zsolt=etv.hu at lists.strongswan.org] On Behalf
Of Makai Zsolt
	Sent: Thursday, June 03, 2010 1:12 PM
	To: users at lists.strongswan.org
	Subject: [strongSwan] Net2net and ip policy
	
	

	Hi, 

	Please, help me! I have got two strongswan servers and the
connection is ok. I must put a router between "left" and "leftsubnet":

	Before:
192.168.100.0/22===x.x.x.186---x.x.x.230===192.168.11.0/24 
	Now: 192.168.100.0/22==={router
192.168.100.254-x.x.x.185}===x.x.x.186---x.x.x.230===192.168.11.0/24 

	Ipsec.conf: 
	config setup 
	 plutodebug=control 
	 charonstart=no 

	conn %default 
	        left=%defaultroute 
	        leftsubnet=192.168.100.0/22 

	conn paks 
	        right=x.x.x.230 
	        rightsubnet=192.168.11.0/24 
	        authby=secret 
	        auth=esp 
	        auto=add 

	Ip xfrm policy: 
	src 192.168.100.0/22 dst 192.168.11.0/24 
	        dir out priority 2408 ptype main 
	        tmpl src x.x.x.186 dst x.x.x.230 
	                proto esp reqid 16385 mode tunnel 
	src 192.168.11.0/24 dst 192.168.100.0/22 
	        dir fwd priority 2408 ptype main 
	        tmpl src x.x.x.230 dst x.x.x.186 
	                proto esp reqid 16385 mode tunnel 
	src 192.168.11.0/24 dst 192.168.100.0/22 
	        dir in priority 2408 ptype main 
	        tmpl src x.x.x.230 dst x.x.x.186 
	                proto esp reqid 16385 mode tunnel 

	Route: 
	192.168.100.0   x.x.x.185 255.255.252.0   UG    0      0
0 eth1 
	0.0.0.0         x.x.x.180 0.0.0.0         UG    0      0
0 eth1 

	The vpn tunnel has been established, of course, but the ping
from 192.168.100.2 to 192.168.11.3 has been failed. 
	Tcpdump: 
	12:45:51.760782 IP 192.168.100.2 > 192.168.11.3: ICMP echo
request, id 512, seq 15360, length 40 
	12:45:51.760931 IP x.x.x.186.euroweb.hu > 192.168.100.2: ICMP
host 192.168.11.3 unreachable - admin prohibited, length 68

	The ipsec.conf i did not change. I removed the direct network
connection to 192.168.100.0/22 from the "left" server and i rewrote it
the routing table. What it is necessary to do yet, that allowing let the
route be? 

	Thank you, 
	Zsolt 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100603/26ecde3f/attachment.html>


More information about the Users mailing list