[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Users Digest, Vol 53, Issue 15
From:       "Henry R. Prins" <HPrins () multidataservices ! com>
Date:       2008-07-24 12:53:49
Message-ID: E3122D9DC5D0A3438AA30E51F5115751AE44 () mds-4 ! multidataservices ! local
[Download RAW message or body]

Date: Wed, 23 Jul 2008 14:07:14 +0200
From: Nicole H?hnel <ml@nicole-haehnel.de>
Subject: [strongSwan] Problems running strongswan 4.2.4 on rhel5
To: users@lists.strongswan.org
Message-ID: <48871EF2.4020302@nicole-haehnel.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

Hi,

I'm trying to get strongswan 4.2.4 working on rhel5 with kernel 
2.6.18-53.1.21 and 2.6.18-92.1.6.
I installed strongswan with:
./configure --prefix=/usr --sysconfdir=/etc
make
make install

We have about 90 connections on this server and all will be established 
after starting strongswan.
But I can not ping anything in both directions from all vpn gateways.
No traffic goes through the vpn tunnels.

Before changing to strongswan, openswan was running fine on this server.

I disabled our iptables firewall to test strongswan, but it makes no 
difference with or without.
With firewall running we do not nat the vpn networks among each other.

Are there any experiences with rhel and strongswan?
Maybe a routing or nat problem.

All other vpn gateways running sles10sp1. No problems there.

Thanks in advance!

Nicole



Nicole when you have the Iptables Firewall in place do you happen to
share the internet through that box for the other internal computers in
the office?

If so then there is probably an entry that either SNAT or MASQUERADE
those ip-address's to the "public" ip address of the network.  It will
also masq/snat the packets going to the internal ip addresses.  To work
around this 

/usr/local/sbin/iptables -t nat -I PREROUTING -s <SOURCENETWORK>/24 -i
eth1 -m policy --dir in --pol ipsec --proto esp --mode tunnel -j ACCEPT
/usr/local/sbin/iptables -t nat -I POSTROUTING -s <SOURCENETWORK>/24 -o
eth1 -m policy --dir out --pol ipsec --proto esp --mode tunnel -j ACCEPT

This will allow anything coming in/out on an ipsec tunnel to be
accepted.

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic