[strongSwan] routing/firewall

Noel Kuntze noel at familie-kuntze.de
Mon Dec 9 12:32:14 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Christian,

You need to use the "farp" plugin, if you use the IP from your LAN subnet.
Otherwise the router on the LAN won't be able to resolve the IPs to MAC addresses.
The "farp" plugin solves this issue by spoofing arp responses.

Regards
Noel Kuntze

Am 09.12.2013 12:28, schrieb Christian Huldt:
> I have on (old) openswan gateway with ipsec-psk and l2tp and one
> strongswan 5.1.1 with ikev1 with certificates for users to connect to.
> 
> I must however be doing something wrong as users connected to strongswan
> cannot connect to internet, while users connected to openswan has no
> problems at all.
> 
> Apart from the ipsec implementation most things are equal, including to
> firewall rules - in fact, strongswan replace openswan that worked just
> like the remaining openswan gateway.
> 
> tcpdump shows packets going out but not coming in, IPs are provided by
> dhcp for strongswan, while openswan has a separate subnet...
> 
> What is the best way to debug this?
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSpao+AAoJEDg5KY9j7GZYxGwP/0ZrA5qy/eB4zNaYmBLJU4Zb
KMpIlmj+DCwlHFFtEvj2PgiH3TNqQ/tgGxArflQoB4IbIjyw+ApL+amIY58XGAZ4
TIu3siFQ/bSA9DT07O2QJ1BEePiLbzmvh7pfVCd5Nrl8W11hPocDxjbJERoe5Gr4
Z5uu6g26Hyn2IXga//RHyxV5Y1+zmg+kKmfDunD+3U5krqJcLwSGHq2H9BELjQrS
jFJRhuZttQmzMe9vYV4qi5YaC9CPMXpt6NRmoX7ZV41FrRIV8nGR+HIpo8w8STYM
jfeX4o4KNQHbYV+fPIaREGEWhrt6G44st7/9nsdhQm0nPVdbmzoaBcFeTqtyb+xq
1XZodfVVPSoyeojPCm2Lvnfj6NBD7wMts1Q5bI36NL7cIsKARVAJEWnCfppkQcut
DF3Jy1IFqLOr4EKczwUqQz1yfXGYxW8J8iDIOC+yTmXeGnpIlnY3T3VDoB6XE5ej
z5q0UmElaJrcMxPnkb5uQ26pqop2YpnVbuBOFhdk9M974jbpNaXGcrEfuGxcGdVA
NkJ+wP2DtttqUAskgZHTEHfz4SUEH606huuECGOp8OEEBq+6+xCZEM9xIguhaNK1
SN8gmMNfOAbu2kCGqbf3s5pGOsYBEyhE3xC2P58xvGvnWk9pUGISITlRxn9pWzts
Tq7ryfutEF5UGaTsb+7z
=72TP
-----END PGP SIGNATURE-----




More information about the Users mailing list