[strongSwan] routing/firewall

Noel Kuntze noel at familie-kuntze.de
Mon Dec 9 14:27:57 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Christian,

This guide[1] should clarify a couple of things and might help you get it working.

[1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Regards
Noel Kuntze

Am 09.12.2013 12:50, schrieb Christian Huldt:
> I believe that should be automatic?
> Also, is not that for ikev2?
> 
> As we have no problems connecting to hosts on the lan from clients
> connected from the outside, I believe that arp should be working?
> 
> (Many question marks as everything of course is AFAIK...)
> 
> Noel Kuntze skrev 2013-12-09 12:32:
>> Hello Christian,
>>
>> You need to use the "farp" plugin, if you use the IP from your LAN 
>> subnet. Otherwise the router on the LAN won't be able to resolve 
>> the IPs to MAC addresses. The "farp" plugin solves this issue by 
>> spoofing arp responses.
>>
>> Regards Noel Kuntze
>>
>> Am 09.12.2013 12:28, schrieb Christian Huldt:
>>> I have on (old) openswan gateway with ipsec-psk and l2tp and one
>>>  strongswan 5.1.1 with ikev1 with certificates for users to 
>>> connect to.
>>
>>> I must however be doing something wrong as users connected to 
>>> strongswan cannot connect to internet, while users connected to 
>>> openswan has no problems at all.
>>
>>> Apart from the ipsec implementation most things are equal, 
>>> including to firewall rules - in fact, strongswan replace 
>>> openswan that worked just like the remaining openswan gateway.
>>
>>> tcpdump shows packets going out but not coming in, IPs are 
>>> provided by dhcp for strongswan, while openswan has a separate 
>>> subnet...
>>
>>> What is the best way to debug this?
>>
>>> _______________________________________________ Users mailing 
>>> list Users at lists.strongswan.org 
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSpcVdAAoJEDg5KY9j7GZYFrIP/26Xv0Yh1tG7JkcI4QjeONyU
qxfgbw/lxHPXdjjxlMTaLVwuXAV4c7OtF31KH6VVgDGzwXeoFBW8PM6iPwjs7TTe
KEO1q0w8Lvp6iFtMt4bhq0etZ9jhhVw40yP5RecgzWF5pON/bFKxLnm0vF1FmdPT
Lcosm6uVAZHGdrqh0wUIyW4x5UpVGLmvDBleqE3oR8nT2XuvE6fhU9DXM0thICTM
r5qyZgiakpwF5Ro17qVELA4ivqgn5IizdEusm8cpeKnOXSO561+DJddmVi8fAbm/
44+lL/6n6oGwWl0OEAYhq0bKMnLWDuU5gdo2DDU7FutROnY5R1Ey0ZB/JF4YS6s4
YNVxJGSNAJx28M5F2r7O8DdZH9XcwQ/VxwqG3tS+fS1iVoiFjs64HchlJxWZrFWB
GFTt/HH8RrX0GUK3+MYMwxWvobZ8qb+fMhhQKnF5k4HHlQtCcN7fxrIZT09EISkQ
lLUaigE52belsUmtjezMOJ8Z56ejFOTNwuFRJoV2YcTL9CtFxJ2mIPjYDv8feqJ8
DTZSYOnOwBS0RVJ0bubM3lQjJhf2nNPXpNwTspLarg00Hi6LrcX3M4EqE9hdabKg
A1QUDD6H/oPQJdu4FzopqCHOOiPXTSOb+PmKcQ4mG/uYCav67hVsRgthRlsxlXnB
ki/BbX+ydSi6WfT7eGUv
=Etc2
-----END PGP SIGNATURE-----




More information about the Users mailing list