[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Rene Bartsch
ml at bartschnet.de
Sat Feb 12 20:58:09 CET 2011
Hello Andreas,
I've added the rules
iptables -t filter -A INPUT -d <public IP> -p esp -m
comment --comment "ACCEPT IPSec ESP" -j ACCEPT
iptables -t filter -A INPUT -d <public IP> -p udp -m udp --dport 500 -m
comment --comment "ACCEPT IPSec IKE" -j ACCEPT
iptables -t filter -A INPUT -d <public IP> -p udp -m udp --dport 4500 -m
comment --comment "ACCEPT IPSec NAT-T" -j ACCEPT
and StrongSWAN added the rules
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.177.0/24 192.168.176.0/24 policy match
dir in pol ipsec reqid 16385 proto esp
ACCEPT all -- 192.168.176.0/24 192.168.177.0/24 policy match
dir out pol ipsec reqid 16385 proto esp
The IPSec association is created (even Fritzbox shows a active IPSec
connection), but no data passes between the subnets.
Do I use the right IPTables chains? Do I need port 4500 (NAT-T is disabled
on Fritzbox and StrongSWAN box)?
Regards,
Renne
On Sat, 12 Feb 2011 20:20:46 +0100, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Rene,
>
> you must open UDP port 500 for IKE and UDP port 4500 if you have
> a NAT situation. In order to pass encrypted IPsec packets you
> must open IP protocol 50 (ESP).
>
> Regards
>
> Andreas
More information about the Users
mailing list