[strongSwan] unable to ping local gateway in roadwarrior configuration
Martin Willi
martin at strongswan.org
Tue Jan 20 15:37:53 CET 2015
Hi,
> iptables -A PREROUTING -p 50 -d $EXTIP -j DNAT --to-destination 192.168.7.1
> iptables -A PREROUTING -p 51 -d $EXTIP -j DNAT --to-destination 192.168.7.1
You probably won't need ESP/AH forwarding rules, as in your NAT
situation all traffic is UDP encapsulated over ports 500/4500.
> and ipsec statusall is:
> Security Associations (0 up, 0 connecting):
Your "ipsec statusall" shows no active connections. No client currently
connected?
> The problem that I have is that I am able to ping the network computers
> (i.e. 192.168.7.5) but I am unable to ping the gateway itself
> (192.168.7.1).
If pinging the LAN hosts works, your IPsec policies get negotiated
correctly. Likely that your routing or firewall configuration drops
packets.
If you ping your internal gateway address, do you see incoming packets
when sniffing on your gateway? Do you see ESP packets leaving?
> 192.168.7.0 * 255.255.255.0 U 0 0 0 br-lan
strongSwan installs a route to table 220 (ip route show table 220),
which should go over your Sky router. It overrides the LAN route to your
DHCP-assigned road-warrior IP. Can you confirm this route gets installed
correctly?
Regards
Martin
More information about the Users
mailing list