<div dir="ltr">Thanks Lennart, it was the NAT issue after all... <div><br></div><div>-Igor</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 18, 2014 at 6:37 PM, Lennart Sorensen <span dir="ltr"><<a href="mailto:lsorense@csclub.uwaterloo.ca" target="_blank">lsorense@csclub.uwaterloo.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Thu, Sep 18, 2014 at 05:43:17PM +0200, Igor Jovanovic wrote:<br>
> Hello,<br>
><br>
> We have host-to-subnet PSK setup with tunnel up and running - with main<br>
> issue being that the traffic is not being routed into the tunnel.<br>
><br>
> Our lan (eth3): <a href="http://192.168.100.0/24" target="_blank">192.168.100.0/24</a><br>
> Our encryption domain <a href="http://192.18.0.0/24" target="_blank">192.18.0.0/24</a><br>
> Our public IP (eth1): x.x.194.130/30<br>
> Public nexthop(eth1): x.x.194.129/30<br>
> Our ED IP (eth1:1): <a href="http://192.18.0.1/24" target="_blank">192.18.0.1/24</a><br>
> Other end IP: y.y.34.140<br>
> Other end subnet: <a href="http://6.0.0.0/8" target="_blank">6.0.0.0/8</a><br>
><br>
> VPN Setup:<br>
><br>
> config setup<br>
> klipsdebug=all<br>
> plutodebug=all<br>
> protostack=netkey<br>
> nat_traversal=no<br>
> virtual_private=<br>
> oe=off<br>
><br>
> conn vic-bsc-1<br>
> forceencaps=yes<br>
> dpddelay=30<br>
> dpdtimeout=120<br>
> dpdaction=restart_by_peer<br>
> ike=aes256-sha1;modp1024!<br>
> phase2alg=aes256-sha1<br>
> ikelifetime=86400s<br>
> authby=secret<br>
> type=tunnel<br>
> salifetime=3600s<br>
> pfs=no<br>
> aggrmode=yes<br>
> left=x.x.194.130<br>
> leftnexthop=x.x.194.129<br>
> leftsubnet=<a href="http://198.18.0.0/24" target="_blank">198.18.0.0/24</a><br>
> right=y.y.34.140<br>
> rightnexthop=x.x.194.129<br>
> auto=start<br>
> rightsubnet=<a href="http://6.0.0.0/8" target="_blank">6.0.0.0/8</a><br>
><br>
> NAT Rule:<br>
> iptables -t nat -I POSTROUTING 1 -s 0/0 -d <a href="http://6.0.0.0/8" target="_blank">6.0.0.0/8</a> -o eth1 -j SNAT<br>
> --to-source 192.18.0.1<br>
><br>
> Route:<br>
> ip route add <a href="http://6.0.0.0/8" target="_blank">6.0.0.0/8</a> src 192.18.0.1 via x.x.194.129 dev eth1<br>
><br>
> Please advise, we are missing something big here!<br>
<br>
</div></div>The tunnel will only allow traffic between <a href="http://6.0.0.0/8" target="_blank">6.0.0.0/8</a> and <a href="http://198.18.0.0/24" target="_blank">198.18.0.0/24</a><br>
If you apply nat, then the traffic is no longer valid and will not go<br>
through your tunnel.<br>
<br>
I suggest you try to get your ipsec working first, then worry about<br>
firewalling afterwards.<br>
<br>
And if it is using netkey, you will have to make sure your firewall<br>
allows traffic of type ipsec (not ipv4) from the other side to come in.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Len Sorensen<br>
</font></span></blockquote></div><br></div>