Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 12055 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ipsec site to site connection with strongswan behind nat, can't access remote

daiqingxu

I have setup an ipsec site to site connection with strongswan on the other end behind nat. Currently i can't access remote resource while i can access local resources from remote.

Tcp dump seems the packet is send to remote end.

15:38:39.245009 Port1, IN: IP local_client_ip > remote_public_ip: ICMP echo request, id 517, seq 1, length 64
15:38:39.245071 ipsec0, OUT: IP local_public_ip > remote_public_ip: ICMP echo request, id 517, seq 1, length 64

But i can't find any thing in the other end.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    lferrara said:

    Daiquin,

    Can you share you site to site configuration? Firewall rules? And also a traceroute outpu?

    Thanks

     

    configuration:

    Connection Type   :       Site-to-Site

    Policy:    i have checked it matches other end

    Action on VPN Restart: Respond Only

    Authentication Type: Preshared Key

    Local:  Wan interface     Remote: remote public ip

    Local

    Local Subnet:    10.18.0.0/16

    NATed LAN: Same as Local Lan address

    Local ID    local public ip address

    Remote

    Allow NAT Traversal :  not checked(it's gray out)

    Remote LAN Network: 10.188.1.0/24

    Remote ID:  remote local ip address or remote public ip address (tried both)

  • 0 in reply to lferrara

    Firewall rules:

    Accept any service going to "LAN" zone, when in "VPN" zone, and coming from any networkand log connections, then apply IPS policies

    IPS policies: DMZ TO LAN

    Accept any service going to "VPN" zone, when in "LAN" zone, and coming from any networkand log connections, then apply IPS policies

    IPS policies: LAN TO DMZ

  • 0 in reply to lferrara

    What do you want me to traceroute? traceroute between client on either site shows nothing but first hop.

  • 0 in reply to daiqingxu

    Please share the output of a traceroute to a resource that you need to access.

    Thanks