[strongSwan] Peer to peer apps among clients
Martin Willi
martin at strongswan.org
Mon Apr 28 10:54:10 CEST 2014
Hi Mark,
> I see the encrypted ICMP echo request come into the server, and then I
> see the server send out an ARP request for the other IP on its primary
> interface.
Do you have appropriate routes installed for these clients? If not
disabled explicitly, charon should install these routes automatically
for you. On Linux, these routes are in a dedicated routing table, you
can print them using "ip route show table 220".
Given that your Internet traffic works, most likely these routes are in
place.
> leftcert=pw-hq.com.crt.x509.pem,pw-hq.com.crt-intermediate2.x509.pem,pw-hq.com.crt-intermediate1.x509.pem
While this might work, this is not the intended way to configure
intermediate CA certificates. You should put them in ipsec.d/cacerts,
and just reference your gateway certificate here.
> rightsubnet=10.10.0.0/16
> rightsourceip=10.10.128.0/17
Not sure how iOS handles this, but I don't think your rightsubnet is
correct. Each connecting client has a single IP on its side, and not the
full 10.10.0.0/16 subnet. Just omit the rightsubnet option to narrow it
to the selected rightsourceip.
Regards
Martin
More information about the Users
mailing list