[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10

Martin Willi martin at strongswan.org
Mon Sep 16 09:46:05 CEST 2013


Hi,

> client device (24.114.94.100) connect to the server (99.234.220.200,
> LAN ip-192.168.16.50) via public key authentication, and to have access
> to the LAN (192.168.16.0/24) behind the server.  [...] I cannot ping
> between the host and client, or reach the subnet behind the host. 
> There are no errors when connecting, and I am issued a virtual ip
> (10.10.10.1):

I assume that the VPN client has a route to the host you ping. But does
the host in your LAN has a route to the client, i.e. does it know where
10.10.10.1 is?

If the IPsec gateway is not your default gateway, you'll have to install
a route on each LAN host for the 10.10.10.0/24 subnet.

Alternatively you might consider assigning unused addresses from
192.168.16.0/24 to the clients, statically or using the dhcp plugin.
Then the farp plugin on your IPsec gateway could take care of responding
to ARP responses on behalf of the IPsec clients.

If that all does not help, you should run a network sniffer to see where
your pings gets lost. Also, make sure IP forwarding is enabled on the
IPsec gateway.

Regards
Martin

[1]http://wiki.strongswan.org/projects/strongswan/wiki/FARPPlugin





More information about the Users mailing list