[strongSwan] One-way tunnel
Jan Vejvalka
jan.vejvalka at datim.cz
Tue Jan 18 00:28:56 CET 2011
Hi *,
the issue is resolved:
besides routing via IPSec to the remote network, my box also serves as
the default gateway from my private network to the outside world.
Therefore, there is a masquerading rule in the POSTROUTING chain.
Replacing
iptables -t nat -A POSTROUTING -o extiface -j MASQUERADE
with
iptables -t nat -A POSTROUTING -o extiface -j SNAT --to mypublicip
did the job.
Thanks to all who helped,
Jan
On 12.1.2011 7:01, Jan Vejvalka wrote:
> Hi *,
>
> I'm new to strongSwan, trying to set it up to work with Cisco 7206VXR
> to tunnel communication between networks on both sides, on IPv4 with
> IKEv1, PSK.
>
> With iptables, I monitor packets on my box.
> Pings from the remote network to my local network come through and get
> responded: esp in, echo-request forwarded, echo-reply forwarded, esp
> out.
> Pings in the opposite direction never make it: the echo-request is
> forwarded, but no esp packet is sent out and the ping packet goes
> further to the default gateway.
>
> My configuration follows the one at
> http://www.strongswan.org/uml/testresults/ikev1/net2net-psk/.
> I'm using kernel 2.6.36.1, everything else is Slackware 13.1.
>
> Any hint/help is much welcome.
>
> Many thanks,
>
> Jan
>
>
> This is my ipsec.conf:
>
> config setup
> plutodebug=control
> plutostart=yes
> charondebug=none
> charonstart=no
>
> conn net-net
> ikelifetime=86400s
> keylife=3600s
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
> authby=secret
> ike=3des-md5-modp1024
> esp=3des-md5
> right=mypublicip
> rightsubnet=theirpublicnet
> left=mypublicip
> leftsubnet=myprivatenet
> leftfirewall=yes
> auto=add
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
More information about the Users
mailing list