[strongSwan] Net-to-Net wrong source IP of VPN server.
Lukas Hejmal
lukas at hejmal.eu
Wed May 4 11:43:34 CEST 2016
Hello Tobias,
Indeed there is. When I added rule:
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
right before MASQUERADE, to prevent masquerade for flow that is supposed
to go via VPN, it all suddenly start working.
Thank you very much for pointing me to right direction.
On 5/2/2016 14:19, Tobias Brunner wrote:
> Hi Lukas,
>
>> But when I do ping to host that is obviously running and has firewall
>> with any/any allow:
>> # ping 192.168.1.54
>> PING 192.168.1.54 (192.168.1.54): 56 data bytes
>> ^C
>> --- 192.168.1.54 ping statistics ---
>> 7 packets transmitted, 0 packets received, 100% packet loss
>> #
>>
>> when I run tcpdump on same system I can see:
>>
>> # tcpdump -i any -n icmp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
>> bytes
>> 12:47:09.671920 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
>> seq 0, length 64
> Any NAT configured on this host (e.g. from 192.168.1.0/24 to 1.2.3.4)?
> If so, have a look at [1].
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
>
More information about the Users
mailing list