[strongSwan] Setup site-to-site VPN via central server

Martin Sand dborn at gmx.net
Fri Jul 29 16:20:32 CEST 2016


> Could be any number of things.  You should check the traffic counters in
> `ipsec statusall` on the hub and the clients.  If you have firewall
> rules check the counters in `iptables -v -L`.

The output of iptables -v -L on the Hub is:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     all  --  ens192 any     192.168.2.0/24 
192.168.1.0/24       policy match dir in pol ipsec reqid 376 proto esp
     0     0 ACCEPT     all  --  any    ens192  192.168.1.0/24 
192.168.2.0/24       policy match dir out pol ipsec reqid 376 proto esp
     0     0 ACCEPT     all  --  ens192 any     192.168.1.0/24 
192.168.2.0/24       policy match dir in pol ipsec reqid 375 proto esp
     0     0 ACCEPT     all  --  any    ens192  192.168.2.0/24 
192.168.1.0/24       policy match dir out pol ipsec reqid 375 proto esp

As I am running OpenWRT on both gateways, iptables -v -L has a long 
output. What are the relevant pieces here of iptables? At least I cannot 
see any 192.168 rules. I guess OpenWRT is not accepting the traffic.

Can I somehow simulate the traffic from the Hub? How can I send a ping 
into the tunnel, e.g. "ping -I 192.168.1.1 192.168.2.1"? Of course, 
192.168 is not shown in the interface list of the Hub, but only the 
external IP address.

Best regards
Martin


More information about the Users mailing list