[strongSwan] Help with setup
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Feb 1 22:13:24 CET 2022
Hello Michael,
You can enable tracing of singular packets in the *raw table like that:
-t raw -I PREROUTINg -i LAN -o Internet -d 192.168.127.0/24 -j TRACE
Kind regards
Noel
Am 01.02.22 um 21:27 schrieb Michael Deignan:
> Hello Rajiv, thanks for the suggestions.
>
> I added your suggested rules at the start of each chain. I also opted to add another rule at the bottom of the chain, so I could see if in fact anything was being rejected.
>
> -A INPUT -j LOG --log-prefix "IPv4-In-Drop: "
> -A INPUT -j DROP
>
> Once I added the log statement, I can see packets being dropped in my syslog:
>
> Feb 1 15:13:23 WorkRouter kernel: IPv4-In-Drop: IN=Internet OUT= MAC=bc:30:5b:e3:9f:28:20:b3:99:cc:c2:24:08:00 SRC=192.168.127.254 DST=192.168.126.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37930 DF PROTO=ICMP TYPE=8 CODE=0 ID=23320 SEQ=25
>
> At this point I added similar logging rules to both the OUTPUT and FORWARD chains so I could see any forward or output drops.
>
> I also added
>
> -A INPUT -s 192.168.127.0/24 <http://192.168.127.0/24> -d 192.168.126.0/24 <http://192.168.126.0/24> -j ACCEPT
>
> to the input chain. I also added a similar rules on the home router for logging and the reverse traffic flow.
>
> Sadly, this had the effect of making the input reject logging messages disappear on the ping, but no further logging messages about rejected packets despite the fact of still not being able to ping or ssh, etc. from one subnet to the other.
>
> I think I am getting closer, but obviously I am still missing something, somewhere to tie it all together.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220201/91ed1aa1/attachment.sig>
More information about the Users
mailing list