[strongSwan] StrongSWAN and AVM Fritzbox - Help!

Rene Bartsch ml at bartschnet.de
Sat Feb 12 20:58:09 CET 2011


Hello Andreas,

I've added the rules

iptables -t filter -A INPUT   -d <public IP> -p esp                     -m
comment --comment "ACCEPT IPSec ESP"   -j ACCEPT
iptables -t filter -A INPUT   -d <public IP> -p udp -m udp --dport 500  -m
comment --comment "ACCEPT IPSec IKE"   -j ACCEPT
iptables -t filter -A INPUT   -d <public IP> -p udp -m udp --dport 4500 -m
comment --comment "ACCEPT IPSec NAT-T" -j ACCEPT


and StrongSWAN added the rules

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  192.168.177.0/24     192.168.176.0/24    policy match
dir in pol ipsec reqid 16385 proto esp 
ACCEPT     all  --  192.168.176.0/24     192.168.177.0/24    policy match
dir out pol ipsec reqid 16385 proto esp


The IPSec association is created (even Fritzbox shows a active IPSec
connection), but no data passes between the subnets.

Do I use the right IPTables chains? Do I need port 4500 (NAT-T is disabled
on Fritzbox and StrongSWAN box)?


Regards,

Renne



On Sat, 12 Feb 2011 20:20:46 +0100, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Rene,
> 
> you must open UDP port 500 for IKE and UDP port 4500 if you have
> a NAT situation. In order to pass encrypted IPsec packets you
> must open IP protocol 50 (ESP).
> 
> Regards
> 
> Andreas






More information about the Users mailing list