[strongSwan] no connection from firewall but from host behind

Jens Krehbiel-Gräther jens.krehbiel-graether at jkg-it-services.de
Thu Jul 20 18:54:24 CEST 2017


 

Hi everyone, 

I have a problem and can not find a solution for it. 

Following configuration is set up: 

host a 

ipsec.conf:
_config setup_
_ uniqueids=yes_
_ cachecrls=yes_ 

_conn proxy_
_ ikelifetime=7800_
_ keylife=7800_
_ rekeymargin=30m_
_ keyingtries=5_
_ keyexchange=ike_
_ authby=secret_
_ left=%defaultroute (<-dynamic changing address)_
_ leftsubnet=10.10.42.0/24 (<- local network site a)_
_ leftfirewall=yes_
_ leftid=jens_
_ right=x.x.x.x (<- public ip of host b)_
_ rightsubnet=10.20.21.0/24 (<- local network site b)_
_ auto=start_ 

ipsec.secrets:
_x.x.x.x %defaultroute : PSK "secret"_ 

host b 

ipsec.conf:
_config setup_
_ cachecrls=yes_
_ uniqueids=yes_ 

_conn jkg_
_ ikelifetime=7800_
_ keylife=7800_
_ rekeymargin=30m_
_ keyingtries=5_
_ keyexchange=ike_
_ authby=secret_
_ left=x.x.x.x_
_ leftsubnet=10.20.21.0/24_
_ leftfirewall=yes_
_ right=%any_
_ rightid=jens_
_ rightsubnet=10.10.42.0/24_
_ auto=add_ 

ipsec.secrets:
_jens x.x.x.x : PSK "secret"_ 

My problem is the following: 

When I start strongswan on host b and host a nothing happens. "ipsec
statusall" on host a shows "connecting", on host b nothing incoming. 

When I start same config of host a on a host on local network on site a,
which is nat'ed through host a, the connection works perfectly. Why can
I not start the connection directly on host a (which is not nat'ed). 

Can anyone give me a solution which I have to change in config for
getting it working from host a to host b? 

Thanks, 

Jens 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170720/9314cc32/attachment.html>


More information about the Users mailing list