<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Try:<br>
<blockquote>iptables -t nat -I POSTROUTING -m policy --dir out --pol
ipsec -j ACCEPT<br>
</blockquote>
Nick<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/05/2016 19:25, Frank wrote:<br>
</div>
<blockquote
cite="mid:2A212B4D-150F-41A8-9ACE-8B72FBA6C030@dio.demon.nl"
type="cite">
<pre wrap="">Hi,
The ping still gives the same:
ping -I 192.168.1.2 192.168.211.2
PING 192.168.211.2 (192.168.211.2) from 192.168.1.2 : 56(84) bytes of data.
>From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
>From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
>From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable
>From xxx.xxx.39.68 icmp_seq=4 Destination Host Unreachable
iptables rules (simplified for now):
iptables -L -n -v
Chain INPUT (policy ACCEPT 84987 packets, 4996K bytes)
pkts bytes target prot opt in out source destination
62 2988 DROP tcp -- eth4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- eth4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2200
Chain FORWARD (policy ACCEPT 576K packets, 34M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2331K 270M ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2044K 127M ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
154 12936 ACCEPT all -- eth4 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth4 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
720 60480 ACCEPT all -- eth1 eth4 0.0.0.0/0 0.0.0.0/0
247 12844 ACCEPT all -- eth2 eth4 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 143K packets, 8682K bytes)
pkts bytes target prot opt in out source destination
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 576K packets, 35M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1744 packets, 310K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 44171 packets, 2325K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 616K packets, 37M bytes)
pkts bytes target prot opt in out source destination
54 3843 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
690 56556 MASQUERADE all -- * eth4 0.0.0.0/0 0.0.0.0/0
arp -an:
? (zzz.zzz.13.34) at <incomplete> on eth4
? (192.168.211.12) at <incomplete> on eth4
? (192.168.2.12) at 02:00:6b:17:00:01 [ether] on eth2
? (192.168.211.2) at <incomplete> on eth4
? (192.168.1.12) at 02:00:0b:60:00:01 [ether] on eth1
? (xxx.xxx.39.78) at 00:00:5e:00:01:37 [ether] on eth4
? (xxx.xxx.39.76) at 00:1d:b5:2f:19:9f [ether] on eth4
tcpdump -v -n -i eth4 not port 22 | grep -v VRRP :
tcpdump: listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
20:17:05.232826 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
20:17:05.925432 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
20:17:06.204021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
20:17:06.825248 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xxx.xxx.39.74 tell xxx.xxx.39.76, length 46
20:17:07.204218 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.211.2 tell xxx.xxx.39.68, length 28
Rgds,
Frank.
</pre>
<blockquote type="cite">
<pre wrap="">On 10 May 2016, at 17:45, Paul Wouters <a class="moz-txt-link-rfc2396E" href="mailto:paul@nohats.ca"><paul@nohats.ca></a> wrote:
On Tue, 10 May 2016, Frank wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
SA's seem up.
I can't get traffic to the other side (host on 192.168.211.2 or .12):
192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
</pre>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">
ping 192.168.211.2
PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
>From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
</pre>
</blockquote>
<pre wrap="">
Oddly this used your public ip as source, instead of the one you
specified with leftsourceip=192.168.1.2
does ping -I 192.168.1.2 192.168.211.2 work?
</pre>
<blockquote type="cite">
<pre wrap="">ip route:
default via xxx.xxx.39.78 dev eth4
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2
192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.2
192.168.211.0/24 dev eth4 scope link src 192.168.1.2
</pre>
</blockquote>
<pre wrap="">
It's there, so why is ping using the wrong source ip?
Paul
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</body>
</html>