[strongSwan] net-net sample can not work on ubuntu14.04
Bernhard Marx
bernhard.marx at gmail.com
Mon May 4 18:38:52 CEST 2015
Hi
I added now the following rules:
iptables -t nat -A POSTROUTING -s 192.168.120.0/24 -o eth0 -m policy --dir
out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.120.0/24 -o eth0 -j MASQUERADE
But no success
2015-05-04 12:39 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Zhuyj,
>
> Please check that you enabled forwarding for the network devices
> that are involved in the forwarding of the packages.
> Also, please check the counters in the output of ipsec statusall to see,
> if the packets get decrypted. The counters should increment, when you send
> packets to the remote subnet.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 04.05.2015 um 12:34 schrieb zhuyj:
> > Hi, Noel
> >
> > Thanks for your reply.
> > I read carefully this link:
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> >
> > In this link, I think, the most important is: ip_forward and iptables.
> > Now I show you the configurations on the sun:
> >
> > root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
> > 1
> > root at strongswan2:~# iptables-save
> > # Generated by iptables-save v1.4.21 on Mon May 4 18:29:28 2015
> > *nat
> > :PREROUTING ACCEPT [93:14126]
> > :INPUT ACCEPT [36:4578]
> > :OUTPUT ACCEPT [0:0]
> > :POSTROUTING ACCEPT [1:84]
> > -A POSTROUTING -s 10.0.0.0/8 -o eth1 -m policy --dir out --pol ipsec -j
> ACCEPT
> > -A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE
> > COMMIT
> > # Completed on Mon May 4 18:29:28 2015
> > # Generated by iptables-save v1.4.21 on Mon May 4 18:29:28 2015
> > *filter
> > :INPUT ACCEPT [2033:256543]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [182:23858]
> > -A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -i eth1 -m policy --dir in
> --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -o eth1 -m policy --dir out
> --pol ipsec --reqid 1 --proto esp -j ACCEPT
> > COMMIT
> > # Completed on Mon May 4 18:29:28 2015
> >
> > I think, ip forward feature is enabled in sun. And the iptables rules
> are inserted.
> > But the result is the same.
> >
> > Any reply is appreciated.
> >
> > Thanks a lot.
> > Zhu Yanjun
> >
> > On 05/04/2015 06:01 PM, Noel Kuntze wrote:
> > Hello,
> >
> > Did you follow the guide for forwarding[1]?
> >
> > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 04.05.2015 um 11:25 schrieb zhuyj:
> >>>> Hi,
> >>>>
> >>>> Are you using psk or certificate to auth?
> >>>>
> >>>> Best Regards!
> >>>> Zhu Yanjun
> >>>> On 05/04/2015 05:18 PM, zhuyj wrote:
> >>>>> Hi, Bernhard
> >>>>>
> >>>>> Your problem is the same with mine.
> >>>>>
> >>>>> Best Regards!
> >>>>> Zhu Yanjun
> >>>>>
> >>>>> On 05/04/2015 05:00 PM, Bernhard Marx wrote:
> >>>>>> Hi Zhu,
> >>>>>>
> >>>>>> no problem. I wish I would have :-)
> >>>>>> But moon and sun is connected via public networks?
> >>>>>> This is my scenario:
> >>>>>>
> >>>>>> 192.168.2.0/24 <http://192.168.2.0/24> <=> 192.168.2.1 hardware
> router xx.xx.xx.xx (public IP from provider) <=> Internet <=> public IP on
> eth0 192.168.120.125 <=> 192.168.120.0/24 <http://192.168.120.0/24> on
> eth1
> >>>>>>
> >>>>>> I can ping from 192.168.120.125 to 192.168.2.1 and vice versa - but
> I can not reach any devices in the subnet...
> >>>>>>
> >>>>>> Regards
> >>>>>> Bernhard
> >>>>>>
> >>>>>>
> >>>>>> 2015-05-04 10:51 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:
> mounter625 at 163.com>>:
> >>>>>>
> >>>>>> Sorry. I thought your solve this problem already.
> >>>>>> Do you think that it is related with psk or pubkey? I mean
> that strongswan can support auth-based certificate very well.
> >>>>>> Maybe there is something wrong with psk auth?
> >>>>>>
> >>>>>> Zhu Yanjun
> >>>>>>
> >>>>>>
> >>>>>> On 05/04/2015 04:45 PM, zhuyj wrote:
> >>>>>>> Hi, Marx
> >>>>>>>
> >>>>>>> Please let me know how to solve this problem.
> >>>>>>>
> >>>>>>> Thanks a lot.
> >>>>>>> Zhu Yanjun
> >>>>>>>
> >>>>>>> On 05/04/2015 04:22 PM, Bernhard Marx wrote:
> >>>>>>>> Dear Zhu,
> >>>>>>>>
> >>>>>>>> I think I have the issue... as send a request to mail list
> yesterday...
> >>>>>>>>
> >>>>>>>> Feedback I received is to check the routing of packets...
> but I cant identify the issue...
> >>>>>>>>
> >>>>>>>> Regards
> >>>>>>>> Bernhard
> >>>>>>>>
> >>>>>>>> 2015-05-04 10:17 GMT+02:00 zhuyj <mounter625 at 163.com
> <mailto:mounter625 at 163.com>>:
> >>>>>>>>
> >>>>>>>> Hi, all
> >>>>>>>>
> >>>>>>>> I followed this link:
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
> >>>>>>>>
> >>>>>>>> I configured 4 vmare hosts. The hosts are ubuntu14.04.
> >>>>>>>>
> >>>>>>>> The network topology is as below.
> >>>>>>>>
> >>>>>>>> 10.1.0.10 <---->10.1.0.1 (moon)
> 192.168.0.1<----->192.168.0.2 (sun) 10.2.0.1<---->10.2.0.10
> >>>>>>>>
> >>>>>>>> strongswan is 5.1.2.
> >>>>>>>>
> >>>>>>>> >From this link:
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, after a vpn
> tunnel is created,
> >>>>>>>> I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can
> not get any reply from 10.2.0.10.
> >>>>>>>>
> >>>>>>>> I can find the icmp packets into moon. But moon will not
> forward these icmp packets.
> >>>>>>>>
> >>>>>>>> I exactly followed this link
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, but I can
> not get
> >>>>>>>> the same test result with this link.
> >>>>>>>>
> >>>>>>>> Does any one have the similar experience?
> >>>>>>>>
> >>>>>>>> Any reply is appreciated.
> >>>>>>>>
> >>>>>>>> Thanks a lot.
> >>>>>>>> Zhu Yanjun
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Users mailing list
> >>>>>>>> Users at lists.strongswan.org <mailto:
> Users at lists.strongswan.org>
> >>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Users mailing list
> >>>>>>>> Users at lists.strongswan.org <mailto:
> Users at lists.strongswan.org>
> >>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Users mailing list
> >>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org
> >
> >>>>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> Users at lists.strongswan.org
> >>>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at lists.strongswan.org
> >>>> https://lists.strongswan.org/mailman/listinfo/users
> >>>>
> >>
> >
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVR0x7AAoJEDg5KY9j7GZYdoEQAI7bJaY+Iy5volndjpsV4xol
> 3Sv2TPyVa/Fvo4BWYlFWtpLvAsyUkRDCOGycRV2iD3LVd6Y+WC8QeN2KXvcC6nvK
> y0mS3bhxgonrMVDuJ/Qmrk3qmNIx5TkvqAjuxSxeKoKhoL9zigbUhCX4xRoLg+fq
> 83vPQ5tMw03+hWshfKd+f8VPbSy9P3YNQ+9fy4f69bFRKcHDwj/L2k45L7s5gRMG
> shFL/VvIEWlZqzBRHbWGw3t7GUUDtsUjpy7M/1KJ5XelS97i7PBeU+JTQWpW64W5
> HoVolQgqc9BarsG4pUTx+v5Q31YexUawEfNngzcp3WoDvYvhPe+8Dqq0rEsZYZV5
> 4cIBBEyKkCJ8caR5bdV+etvy80pDj/bnfM5RXNSGERB9pwTPF+WvsAHm6LpS1iiF
> ATwqIcEwcsvwR50+twhRmH+yoV2bcNCqsOxrKLqp2H4nab1/q0+R0j1uMoCW6IHv
> 6v5ZAVanPLCgI0a+re61hndrCPVoXiPYMg3abLKZVFXmqcDgoL42Qc7F1XL+0csR
> WsO3CGIe45g7PG9DZ3gjhs0PP2grIVy3LzsHUi6ONuB5Jhy7FTMkClaH36WPVD4+
> zOi7lKPWiNWg+OqXzf7Fkb3FJCz3vjOBG1ieRrSsO05JBmqsReFmWR6F3J44gd17
> F1t5/uhaSEb4435vTos7
> =URb/
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150504/a0e80f46/attachment-0001.html>
More information about the Users
mailing list