[strongSwan] EAP-Radius setup not getting routes or passing traffic
C Babcock
qoyagoogs at gmail.com
Mon Dec 5 18:30:14 CET 2016
Hi Noel,
Thank for the kind response. Something happened when I copy/pasted.
This:
> leftsubnet=172.21.0.0/23
> leftsourceip=172.21.0.
Actually looks like this:
> leftsubnet=172.21.0.0/23
> leftsourceip=172.21.0.2
I dont know why the 2 got cut off.
I added this when I could get TS to accept.
> conn AWS-EAST-NAT1-IKE2-TUN
> leftsubnet=%any
I will make the other changes you suggested. Thanks.
CB
On Mon, Dec 5, 2016 at 5:46 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> Hello Chris,
>
> On 05.12.2016 05:23, C Babcock wrote:
> > however I cant pass traffic to the server from the client and vice versa.
> That is because nearly every single setting in your configuration related
> to the TS is invalid.
>
> > leftsubnet=172.21.0.0/23
> > leftsourceip=172.21.0.
>
> First of all, you're assigning virtual IPs to the wrong side.
>
> Then the value of leftsourceip is invalid. It must be the subnet that you
> want to assign virtual IPs from.
> Do not set leftsubnet, if you already set leftsourceip. Vice versa for
> rightsubnet and rightsourceip.
>
> > rightsubnet=%any
> That's invalid, too.
>
> > ip xfrm policy
> > src 0.0.0.0/32 dst 172.21.0.0/23
> > dir fwd priority 2855 ptype main
> > tmpl src 24.11.199.101 dst 172.30.5.161
> > proto esp reqid 2 mode tunnel
> > src 0.0.0.0/32 dst 172.21.0.0/23
> > dir in priority 2855 ptype main
> > tmpl src 24.11.199.101 dst 172.30.5.161
> > proto esp reqid 2 mode tunnel
> > src 172.21.0.0/23 dst 0.0.0.0/32
> > dir out priority 2855 ptype main
> > tmpl src 172.30.5.161 dst 24.11.199.101
> > proto esp reqid 2 mode tunnel
>
> Those nonsensical policies are the result of your invalid configuration.
>
> >
> > ip route show table 220
> > 0.0.0.0 via 172.30.5.1 dev eth0 proto static src 172.21.0.2
>
> Result of the nonsensical policies.
>
> > conn AWS-EAST-NAT1-IKE2-TUN
> > leftsubnet=%any
>
> Invalid setting. Don't set it when using leftsourceip (Unless you know
> what you're doing, which you obviously don't).
>
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161205/de4c2534/attachment.html>
More information about the Users
mailing list