[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Andreas Steffen
andreas.steffen at strongswan.org
Sat Feb 12 21:10:41 CET 2011
On 02/12/2011 08:58 PM, Rene Bartsch wrote:
> Hello Andreas,
>
> I've added the rules
>
> iptables -t filter -A INPUT -d<public IP> -p esp -m
> comment --comment "ACCEPT IPSec ESP" -j ACCEPT
> iptables -t filter -A INPUT -d<public IP> -p udp -m udp --dport 500 -m
> comment --comment "ACCEPT IPSec IKE" -j ACCEPT
> iptables -t filter -A INPUT -d<public IP> -p udp -m udp --dport 4500 -m
> comment --comment "ACCEPT IPSec NAT-T" -j ACCEPT
>
You also need corresponding OUTPUT rules
>
> and StrongSWAN added the rules
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- 192.168.177.0/24 192.168.176.0/24 policy match
> dir in pol ipsec reqid 16385 proto esp
> ACCEPT all -- 192.168.176.0/24 192.168.177.0/24 policy match
> dir out pol ipsec reqid 16385 proto esp
>
These rules are inserted automatically by the _updown script. Make sure
that IP forwarding is enabled (echo "1" > /proc/sys/net/ipv4/ip_forward).
>
> The IPSec association is created (even Fritzbox shows a active IPSec
> connection), but no data passes between the subnets.
>
> Do I use the right IPTables chains? Do I need port 4500 (NAT-T is disabled
> on Fritzbox and StrongSWAN box)?
>
If there is no NAT situation then you won't need port 4500.
>
> Regards,
>
> Renne
>
Regards
Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list