[strongSwan] Kernel drops all client Packages with virtual IP

Bharath Kumar cbkumar at gmail.com
Wed Jan 2 01:06:23 CET 2013


What is the log message in say /var/log/messages ?

Also, please post the output of

Ip xfrm policy

Ip xfrm state

Ipsec statusall


Thanks,
Bharath Kumar

On Tuesday, January 1, 2013, richard -rw- weinberger wrote:

> Hi!
>
> On my RHEL6 system (strongswan 4.6.4) I'm using the following setup:
> http://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29
>
> The client can connect to the server and gets a virtual IP assigned.
> But the Kernel seems to drop the packets from the client immediately.
>
> server config:
> conn ios
>         keyexchange=ikev1
>         authby=xauthrsasig
>         xauth=server
>         left=%defaultroute
>         leftsubnet=0.0.0.0/0
>         leftcert=serverCert.pem
>         leftfirewall=yes
>         right=%any
>         rightsubnet=10.99.0.0/24
>         rightsourceip=10.99.0.2
>         rightcert=clientCert.pem
>         pfs=no
>         auto=add
>
> Using tcpdump I can see Packets from 10.99.0.2 but Linux seems to drop
> them while routing them.
> If I install an iptables LOG rule into the PREROUTING chain, iptables
> logs the packet. Later (E.g. in FORWARD) they do no longer exist.
>
> Do I need to install any IP out of 10.99.0.0/24 on my server?
> Or is there anything else which needs to be done on the Linux side
> which is not covered by the above tutorial?
> Before I start debugging on kernel level I'd like to verify that I'm
> not missing something obvious...
>
> Thanks,
> //richard
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <javascript:;>
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130101/9f7cc773/attachment.html>


More information about the Users mailing list