[strongSwan] net-net sample can not work on ubuntu14.04

zhuyj mounter625 at 163.com
Mon May 4 12:34:57 CEST 2015 

Hi, Noel

Thanks for your reply.
I read carefully this link: 
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

In this link, I think, the most important is: ip_forward and iptables.
Now I show you the configurations on the sun:

root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
1
root at strongswan2:~# iptables-save
# Generated by iptables-save v1.4.21 on Mon May  4 18:29:28 2015
*nat
:PREROUTING ACCEPT [93:14126]
:INPUT ACCEPT [36:4578]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:84]
-A POSTROUTING -s 10.0.0.0/8 -o eth1 -m policy --dir out --pol ipsec -j 
ACCEPT
-A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon May  4 18:29:28 2015
# Generated by iptables-save v1.4.21 on Mon May  4 18:29:28 2015
*filter
:INPUT ACCEPT [2033:256543]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [182:23858]
-A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -i eth1 -m policy --dir in 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -o eth1 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Mon May  4 18:29:28 2015

I think, ip forward feature is enabled in sun. And the iptables rules 
are inserted.
But the result is the same.

Any reply is appreciated.

Thanks a lot.
Zhu Yanjun

On 05/04/2015 06:01 PM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> Did you follow the guide for forwarding[1]?
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 04.05.2015 um 11:25 schrieb zhuyj:
>> Hi,
>>
>> Are you using psk or certificate to auth?
>>
>> Best Regards!
>> Zhu Yanjun
>> On 05/04/2015 05:18 PM, zhuyj wrote:
>>> Hi, Bernhard
>>>
>>> Your problem is the same with mine.
>>>
>>> Best Regards!
>>> Zhu Yanjun
>>>
>>> On 05/04/2015 05:00 PM, Bernhard Marx wrote:
>>>> Hi Zhu,
>>>>
>>>> no problem. I wish I would have :-)
>>>> But moon and sun is connected via public networks?
>>>> This is my scenario:
>>>>
>>>> 192.168.2.0/24 <http://192.168.2.0/24> <=> 192.168.2.1 hardware router xx.xx.xx.xx (public IP from provider) <=> Internet <=> public IP on eth0 192.168.120.125 <=> 192.168.120.0/24 <http://192.168.120.0/24> on eth1
>>>>
>>>> I can ping from 192.168.120.125 to 192.168.2.1 and vice versa - but I can not reach any devices in the subnet...
>>>>
>>>> Regards
>>>> Bernhard
>>>>
>>>>
>>>> 2015-05-04 10:51 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:mounter625 at 163.com>>:
>>>>
>>>>      Sorry. I thought your solve this problem already.
>>>>      Do you think that it is related with psk or pubkey? I mean that strongswan can support auth-based certificate very well.
>>>>      Maybe there is something wrong with psk auth?
>>>>
>>>>      Zhu Yanjun
>>>>
>>>>
>>>>      On 05/04/2015 04:45 PM, zhuyj wrote:
>>>>>      Hi, Marx
>>>>>
>>>>>      Please let me know how to solve this problem.
>>>>>
>>>>>      Thanks a lot.
>>>>>      Zhu Yanjun
>>>>>
>>>>>      On 05/04/2015 04:22 PM, Bernhard Marx wrote:
>>>>>>      Dear Zhu,
>>>>>>
>>>>>>      I think I have the issue... as send a request to mail list yesterday...
>>>>>>
>>>>>>      Feedback I received is to check the routing of packets... but I cant identify the issue...
>>>>>>
>>>>>>      Regards
>>>>>>      Bernhard
>>>>>>
>>>>>>      2015-05-04 10:17 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:mounter625 at 163.com>>:
>>>>>>
>>>>>>          Hi, all
>>>>>>
>>>>>>          I followed this link: http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>>>>>>
>>>>>>          I configured 4 vmare hosts. The hosts are ubuntu14.04.
>>>>>>
>>>>>>          The network topology is as below.
>>>>>>
>>>>>>          10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 10.2.0.1<---->10.2.0.10
>>>>>>
>>>>>>          strongswan is 5.1.2.
>>>>>>
>>>>>>          >From this link: http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, after a vpn tunnel is created,
>>>>>>          I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any reply from 10.2.0.10.
>>>>>>
>>>>>>          I can find the icmp packets into moon. But moon will not forward these icmp packets.
>>>>>>
>>>>>>          I exactly followed this link http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, but I can not get
>>>>>>          the same test result with this link.
>>>>>>
>>>>>>          Does any one have the similar experience?
>>>>>>
>>>>>>          Any reply is appreciated.
>>>>>>
>>>>>>          Thanks a lot.
>>>>>>          Zhu Yanjun
>>>>>>
>>>>>>
>>>>>>          _______________________________________________
>>>>>>          Users mailing list
>>>>>>          Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>          https://lists.strongswan.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>      _______________________________________________
>>>>>>      Users mailing list
>>>>>>      Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>      https://lists.strongswan.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>>      _______________________________________________
>>>>>      Users mailing list
>>>>>      Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>      https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVR0NoAAoJEDg5KY9j7GZYRSQQAI/eJvIQy91JxZbtNasmhTpI
> Rf1bC4POxEV8KGqtkWq0hPd4u8MNWJR7OPo6G3upWx//V25Ajxm0wfpfVQnuOS7H
> dgzIW8NbKrwte+8WGwpHEnAY/F5Nl9tx4cVOWzU0iGFs+eXpGWqL/VHfIBLNpReC
> Wpi75M7gpvu630weEWSTcgAvPis5eFou2YlEQ0wIbSWGEaV+txZ1LSlMGRc90Qnr
> Cp+lWeE9T/Jpge3XOxHZDCuonbkc+t6qF1LsnIidyPJxP6NN/URCtOfLPBWuvwrl
> a6KPN5xici69kMnEGq8eeztvNNh7WK/FXbuMnfhM9Z1yroNPOFJSUzC7NsyV6fLb
> MQMWFoT7F4ykj0gVCwOI32z0qaQSiNWnBWpOAy4qSN6OXGdHjY+pVSosWoLbItoq
> LMqmV0XtTQW1p4wV9oLsCaDkC7eFAIEy83+5KOGFlzXfzsnDTKUKAdw0v1XVbQoC
> gP+4NNoKRi7nYcPI1odgjs0yAu5BZPaehvVJRh4Ev/YELi0Rk78PMrUCyEEC7G2O
> 0mcynJEkT69SqBWYru6UfbyiVpw2WDAYfBROmW9HkJVs6gcDvF67buRTaTFJaTMw
> pszJbHsQEEsK03VScfNqJo2itg2z1tM5KdBFW4ggKlJb7bW4sENngYP3VWudOL68
> ezg55ccbOUPhS95nN6OD
> =EYhL
> -----END PGP SIGNATURE-----
>

More information about the Users mailing list