Project

General

Profile

Issue #2073

Traffic behind gateway

Added by Aurelien Casbarro about 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
configuration
Affected version:
5.5.0
Resolution:
No change required

Description

Hi Strongswan's Team

After the issue 2071, where i tried to ping the VPN Gateway's -> Everything is OK

But now i'm trying to ping since the SrvA a pc behind the LAN 192.168.210.0/24

Here's the schema :

So when i ping on SrvA to SrvB(192.168.210.2) - OK

but when i ping on SrvA to 192.168.210.3 -> it doesn't work

TcpDump on SrvB when a ping 192.168.210.3 from SrvA

tcpdump -src 149.202.170.225

09:29:34.955614 IP 149.202.170.225.ipsec-nat-t > 149.202.189.59.ipsec-nat-t: UDP-encap: ESP(spi=0xc6793b18,seq=0x1), length 132
09:29:35.955184 IP 149.202.170.225.ipsec-nat-t > 149.202.189.59.ipsec-nat-t: UDP-encap: ESP(spi=0xc6793b18,seq=0x2), length 132

I already saw Forwarding and Split-Tunneling, but it talks about Virtual IP and i don't have it.

I enabled echo "1"> /proc/sys/net/ipv4/ip_forward

Thank's for your help

Related issues

Related to Issue #2071: Tunnel Up but no trafficClosed25.07.2016

History

#1 Updated by Tobias Brunner about 9 years ago

  • Related to Issue #2071: Tunnel Up but no traffic added

#2 Updated by Tobias Brunner about 9 years ago

  • Category set to configuration
  • Status changed from New to Feedback

I already saw Forwarding and Split-Tunneling, but it talks about Virtual IP and i don't have it.

While virtual IPs are used as an example (as it is quite a common situation) pretty much everything described there also applies if the IPs are not virtual. Basically, you have to make sure that traffic to the subnet behind the opposite server is properly forwarded to the local VPN server (either directly by the hosts or by their default gateway) or you NAT traffic from/to the remote subnet to the IP of the VPN server.

#3 Updated by Aurelien Casbarro about 9 years ago

Ok Thank you ! It Works !

So i put On SrvA

iptables -t nat -A POSTROUTING -s 192.168.210.0/24 -o ens4 -j MASQUERADE

And On SrvB

iptables -t nat -A POSTROUTING -s 192.168.209.0/24 -o ens4 -j MASQUERADE

Thanks Again :)

#4 Updated by Tobias Brunner about 9 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

You're welcome.