[strongSwan] FW: ikev2 vpn using PKI auth with a Blackberry Z10

Martin Willi martin at strongswan.org
Wed Sep 18 10:23:18 CEST 2013


> Tcpdump is clearly showing the packets making their way to the client
> (on my wan and lan), though I do not see anything coming back in
> return.

As suggested in my previous mail, you should check if the hosts on the
LAN have a route to return packets to the IPsec clients.

> Why did strongswan insert these rules

Because you have defined leftfirewall=yes or leftupdown?

> and what do they mean?

These rules enable forwarding of traffic coming in / going out of the
tunnel should you have a DROP policy.

> Neither my client device or my strongswan server are on the
> ip range.  I have no idea where strongswan is getting
> this 67.xxx network range.

Are you using the default updown script to install these rules? Adding
some debug logs to your script might help.

What does "ipsec statusall" show when such a tunnel is up?


More information about the Users mailing list