[strongSwan] Cannot ping machines on remote local network
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 5 11:28:59 CEST 2017
Hi,
> ifconfig
Please don't use the net-tools. Use iproute2. The net-tools are woefully inadequate for this day and age. They
are deprecated since the early 2000s.
Please provide the output of `ip address`, `ip route show table all`, `ip rule` and `sysctl -A | grep rp_filter`.
I suspect that at least the rp_filter needs to be set to 2.
>
> Just a dynamic ip, who cares.
>
Enough people that it's RFC'd[1].
Kind regards
Noel
[1] https://tools.ietf.org/html/rfc1918#section-3
On 05.09.2017 11:06, Ric S wrote:
> Current configs now:
>
> strongswan.conf:
>
> charon {
> plugins {
> dhcp {
> force_server_address = yes
> server = 192.168.0.1
> identity_lease = yes
> }
> farp {
> load = yes
> }
> }}
>
> dns1 = 8.8.8.8
> dns1 = 8.8.8.4
>
> ipsec.conf:
>
> config setup
> charondebug="net 2, knl 2, cfg 2"
>
>
> conn ikev2
> keyexchange=ikev2
> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
> dpdaction=clear
> dpddelay=60s
> leftfirewall=yes
> lefthostaccess=yes
> leftid=carone.ddns.net
> leftsubnet=192.168.0.0/24
> leftcert=host-vpn.der
> leftsendcert=always
> right=%any
> rightauth=eap-tls
> rightsourceip=%dhcp
> eap_identity=%any
> auto=add
>
>
> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
>> Hi,
>>
>>> type=passthrough
>
> Removed it, also did not use it previous attempts.
>>
>> You're sabotaging yourself. There is no IPsec processing happening with
>> type=passthrough
>>> threads = 8
>
> Removed.
>>
>> You're doing it again. That can lock up the daemon later. Don't do that.
>> Luckily, the setting is outside the valid configuration block, so it's
>> invalid and ignored.
>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>
> I removed it. Just for the record these are my interfaces:
>
> ifconfig
> br0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
> TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:585507 (571.7 KiB) TX bytes:3738948 (3.5 MiB)
>
> br0:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> eth0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
> TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1941972 (1.8 MiB) TX bytes:9910375 (9.4 MiB)
> Interrupt:179 Base address:0x4000
>
> eth1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:163
>
> eth2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:17
> inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:169
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
> RX packets:425 errors:0 dropped:0 overruns:0 frame:0
> TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1
> RX bytes:53057 (51.8 KiB) TX bytes:53057 (51.8 KiB)
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:87.168.251.19 P-t-P:62.155.242.107 Mask:255.255.255.255
> UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
> RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:470447 (459.4 KiB) TX bytes:160357 (156.5 KiB)
>
> vlan1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:759337 (741.5 KiB) TX bytes:9462367 (9.0 MiB)
>
> vlan2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
> TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:916985 (895.4 KiB) TX bytes:397032 (387.7 KiB)
>
> vlan2:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> inet addr:192.168.5.254 Bcast:192.168.5.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> wl0.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:17
> inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
> inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
> TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:538878 (526.2 KiB) TX bytes:998737 (975.3 KiB)
>
> wl1.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:18
> inet addr:192.168.9.1 Bcast:192.168.9.255 Mask:255.255.255.0
> inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
>>
>> Unnecessary.
>>
>>> left=%defaultroute
>
> Removed.
>
>>
>> Unnecessary.
>>
>>> kernel-pfkey
>>
>> Plugin for the legacy IPsec API. Don't use it.
>>
>>> ping R6400
>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>> Unreachable
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>> Unreachable
>
> Just a dynamic ip, who cares.
>
>>
>> Your next hop is sending that error. You're leaking private address into the
>> WAN. That is forbidden. Don't do that.
>>> Routers iptable output:
>>>
>>> iptables -vnL
>>
>> The output is unusable. Provide the output of `iptables-save`.
>
> I disabled a few features, e.g. QOS in order to reduce the output
>
> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> *raw
> :PREROUTING ACCEPT [12217:1705679]
> :OUTPUT ACCEPT [9354:9118762]
> COMMIT
> # Completed on Tue Sep 5 10:42:27 2017
> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> *nat
> :PREROUTING ACCEPT [285:28593]
> :INPUT ACCEPT [604:43260]
> :OUTPUT ACCEPT [47:3676]
> :POSTROUTING ACCEPT [47:3676]
> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination 192.168.0.1
> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0
> -A POSTROUTING -o vlan2 -j MASQUERADE
> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19
> -A POSTROUTING -m mark --mark0x80000000/0x80000000 -j MASQUERADE
> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19
> -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19
> COMMIT
> # Completed on Tue Sep 5 10:42:27 2017
> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> *mangle
> :PREROUTING ACCEPT [3009:537902]
> :INPUT ACCEPT [8937:741571]
> :FORWARD ACCEPT [2521:798226]
> :OUTPUT ACCEPT [2190:2277003]
> :POSTROUTING ACCEPT [11882:9919352]
> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK --set-xmark 0x80000000/0x80000000
> -A PREROUTING -j CONNMARK --save-mark
> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Tue Sep 5 10:42:27 2017
> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [111:17285]
> :advgrp_1 - [0:0]
> :advgrp_10 - [0:0]
> :advgrp_2 - [0:0]
> :advgrp_3 - [0:0]
> :advgrp_4 - [0:0]
> :advgrp_5 - [0:0]
> :advgrp_6 - [0:0]
> :advgrp_7 - [0:0]
> :advgrp_8 - [0:0]
> :advgrp_9 - [0:0]
> :grp_1 - [0:0]
> :grp_10 - [0:0]
> :grp_2 - [0:0]
> :grp_3 - [0:0]
> :grp_4 - [0:0]
> :grp_5 - [0:0]
> :grp_6 - [0:0]
> :grp_7 - [0:0]
> :grp_8 - [0:0]
> :grp_9 - [0:0]
> :lan2wan - [0:0]
> :logaccept - [0:0]
> :logdrop - [0:0]
> :logreject - [0:0]
> :trigger_out - [0:0]
> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
> -A INPUT -p udp -m udp --dport 520 -j logaccept
> -A INPUT -i br0 -j logaccept
> -A INPUT -i ppp0 -p icmp -j logdrop
> -A INPUT -p igmp -j logdrop
> -A INPUT -i lo -m state --state NEW -j ACCEPT
> -A INPUT -i br0 -m state --state NEW -j logaccept
> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
> -A INPUT -i wl0.1 -j logaccept
> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
> -A INPUT -i wl1.1 -j logaccept
> -A INPUT -j logdrop
> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 192.168.0.10 -d 194.25.134.46 -j ACCEPT
> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
> -A FORWARD -s 192.168.0.10 -j LOG
> -A FORWARD -s 192.168.0.10 -j DROP
> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW -j logdrop
> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state --state NEW -j logdrop
> -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre -j logaccept
> -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m tcp --dport 1723 -j logaccept
> -A FORWARD -i wl0.1 -j logaccept
> -A FORWARD -i wl1.1 -j logaccept
> -A FORWARD -j lan2wan
> -A FORWARD -i br0 -o br0 -j logaccept
> -A FORWARD -i br0 -o ppp0 -j logaccept
> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0
> -A FORWARD -i br0 -j trigger_out
> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
> -A FORWARD -i br0 -m state --state NEW -j logaccept
> -A FORWARD -j logdrop
> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A OUTPUT -o br0 -j logaccept
> -A logaccept -j ACCEPT
> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
> -A logdrop -m state --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
> -A logdrop -j DROP
> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence --log-tcp-options --log-ip-options
> -A logreject -p tcp -j REJECT --reject-with tcp-reset
> COMMIT
> # Completed on Tue Sep 5 10:42:27 2017
>
>>
>>> I have tried so many thinsg, but still cannot ping from either side or
>>> access
>>> any local machines.
>>> Does anyone have a clue? Can I provide additional info?
>>
>> You're having no success because you're trying ramdom shit from the
>> Internet. About 99,999% of the strongSwan related information on third
>> party sites is wither well ng or of questinable quality. Don't get your
>> information from any place but the project's website.
>
> Well that's what I did in the first place and it also lacks info, e.g. it did not list all of the required kernel modules, took my a bit to
> find out which modules it needs as it did not complain at startup, but requested features at runtime which were not there, e.g. a STD RNG.
>
>
> Thanks for any hints, hope the above info helps.
>
> Cheers Richard
>>
>> Kind regards
>>
>> Noel
>>
>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
>>> Hi folks,
>>>
>>> I have been ripping my hair out with this issue.
>>>
>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
>>> 192.168.0.1/24.
>>> I can successfully connect to it with an Ipad with ikev2 and surf the
>>> internet, but I cannot reach any internal machines.
>>>
>>> My config is the following:
>>>
>>> ipsec.conf:
>>>
>>> config setup
>>>
>>> charondebug="net 2, knl 2, cfg 2"
>>>
>>> conn ikev2
>>>
>>> keyexchange=ikev2
>>>
>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-
>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128
>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
>>>
>>> dpdaction=clear
>>> dpddelay=60s
>>> left=%defaultroute
>>> leftfirewall=yes
>>> lefthostaccess=yes
>>> leftid=myname.ddns.net
>>> leftsubnet=192.168.0.0/24
>>> leftcert=host-vpn.der
>>> leftsendcert=always
>>> right=%any
>>> rightauth=eap-tls
>>> rightsourceip=%dhcp
>>> eap_identity=%any
>>> type=passthrough
>>> auto=add
>>>
>>> strongswanf.conf:
>>>
>>> charon {
>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>>> plugins {
>>>
>>> dhcp {
>>> force_server_address = yes
>>> server = 192.168.0.1
>>> identity_lease = yes
>>> }
>>> farp {
>>> load = yes
>>> }
>>>
>>> }}
>>>
>>> threads = 8
>>> dns1 = 8.8.8.8
>>> dns1 = 8.8.8.4
>>>
>>>
>>>
>>> Status:
>>>
>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
>>> uptime: 14 minutes, since Sep 05 00:09:53 2017
>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>
>>> scheduled: 8
>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
>>> pkcs12 pgp
>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
>>> sqlite
>>> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
>>> vici
>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
>>> xauth-
>>> generic xauth-eap dhcp whitelist led duplicheck
>>>
>>> Listening IP addresses:
>>> 169.254.255.1
>>> 192.168.0.1
>>> 87.168.243.83
>>>
>>> Connections:
>>> ikev2: %any...%any IKEv2, dpddelay=60s
>>>
>>> ikev2: local: [myname.ddns.net] uses public key authentication
>>>
>>> ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
>>>
>>> ikev2: remote: uses EAP_TLS authentication with EAP identity '%any'
>>>
>>> ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear
>>>
>>> Security Associations (1 up, 0 connecting):
>>> ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]...
>>> 109.43.1.19[R6400]
>>>
>>> ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
>>>
>>> key reauthentication in 2 hours
>>>
>>> ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
>>>
>>> MODP_1024
>>>
>>> ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
>>>
>>> 04eb0f50_o
>>>
>>> ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
>>>
>>> rekeying in 48 minutes
>>>
>>> ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
>>>
>>> swanctl --list-sas
>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
>>>
>>> local 'myname.ddns.net' @ 87.168.243.83[4500]
>>> remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
>>> AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>> established 92s ago, reauth in 9765s
>>> ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
>>>
>>> HMAC_SHA2_256_128
>>>
>>> installed 89s ago, rekeying in 2800s, expires in 3511s
>>> in c0983fe7, 0 bytes, 0 packets
>>> out 04eb0f50, 0 bytes, 0 packets
>>> local 192.168.0.0/24
>>> remote 192.168.0.121/32
>>>
>>> ip route list table 220
>>> 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src
>>> 192.168.0.1
>>>
>>> FARP seems to work, this is a ping from one of the local machines:
>>>
>>> ping R6400
>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>> Unreachable
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>> Unreachable
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/fb0150b4/attachment-0001.sig>
More information about the Users
mailing list