[strongSwan] is it stongswan or local firewall ?

lejeczek peljasz at yahoo.co.uk
Thu Aug 17 17:27:10 CEST 2017



On 17/08/17 16:04, lejeczek wrote:
>
>
> On 16/08/17 15:23, Tobias Brunner wrote:
>> Hi,
>>
>>> What should I be looking at?
>> Start with reading [1], which also links to [2].
>>
>> Regards,
>> Tobias
>>
>> [1] 
>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests 
>>
>> [2]
>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling 
>>
> I was reading it - can I ask: does it work without nat?
> I'm not quite sure which scenario is mine.
> I would like to not use, I think I do not need, NAT.
> I have simple:
>
>  client(here with NAT, with 192.168.2.100) <=> 
> server(192.168.2.200, no NAT) 
> (rightsourceip=10.5.10.220,10.5.10.221) and local net 
> 10.5.10.0/24
>
> and I hope that(without NAT on the server/gateway) a 
> client could go via server to 10.5.10.0/24 subnet(& vice 
> versa), which it does now, with a ping.
> My best guest is - filewall on the server since it allows 
> ping but nothing else.
> So I tried:
>
> $ iptables -A FORWARD --match policy --pol ipsec --dir 
> out(&in) --proto esp -s 10.5.6.0/24 -j ACCEPT
>
> but if that's all then I don't know where to stick these 
> in because it does not help.
> Just started whole vpn thing.
> thx, L.
>
>
ok, those rules should go higher up in the FORWARD chain(in 
my case), works now, thanks!


More information about the Users mailing list