[strongSwan] Peer to peer apps among clients

Martin Willi martin at strongswan.org
Mon Apr 28 10:54:10 CEST 2014


Hi Mark,

> I see the encrypted ICMP echo request come into the server, and then I
> see the server send out an ARP request for the other IP on its primary
> interface.

Do you have appropriate routes installed for these clients? If not
disabled explicitly, charon should install these routes automatically
for you. On Linux, these routes are in a dedicated routing table, you
can print them using "ip route show table 220".

Given that your Internet traffic works, most likely these routes are in
place. 

>    leftcert=pw-hq.com.crt.x509.pem,pw-hq.com.crt-intermediate2.x509.pem,pw-hq.com.crt-intermediate1.x509.pem

While this might work, this is not the intended way to configure
intermediate CA certificates. You should put them in ipsec.d/cacerts,
and just reference your gateway certificate here.

>         rightsubnet=10.10.0.0/16
>         rightsourceip=10.10.128.0/17

Not sure how iOS handles this, but I don't think your rightsubnet is
correct. Each connecting client has a single IP on its side, and not the
full 10.10.0.0/16 subnet. Just omit the rightsubnet option to narrow it
to the selected rightsourceip.

Regards
Martin



More information about the Users mailing list