[strongSwan] stongswan tunnel up but child subnets not pinging

Yeagley, Josiah jyeagley at harris.com
Tue Feb 16 19:59:23 CET 2016


Christopher, 

   I believe I am having a problem very similar to yours, so I have been trying to follow the conversation. In the diagram  under the "securing a network" section https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan  is your problem that moon can ping sun but Alice and Bob can't ping each other??? From what I understand in order for strongswan to insert the proper firewall rules you have to have " leftfirewall=yes" in ipsec.conf (which from the ipsec.conf you posted it looks like you do); but, you still have to put the following lines in your firewall.user file

iptables -t nat -I POSTROUTING -s 10.1.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -s 10.2.0.0/16 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT

~Josiah s. Yeagley





More information about the Users mailing list