Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 12055 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ipsec site to site connection with strongswan behind nat, can't access remote

daiqingxu

I have setup an ipsec site to site connection with strongswan on the other end behind nat. Currently i can't access remote resource while i can access local resources from remote.

Tcp dump seems the packet is send to remote end.

15:38:39.245009 Port1, IN: IP local_client_ip > remote_public_ip: ICMP echo request, id 517, seq 1, length 64
15:38:39.245071 ipsec0, OUT: IP local_public_ip > remote_public_ip: ICMP echo request, id 517, seq 1, length 64

But i can't find any thing in the other end.



This thread was automatically locked due to age.
Parents
  • 0

    Daiquin,

    Can you share you site to site configuration? Firewall rules? And also a traceroute outpu?

    Thanks

  • 0 in reply to lferrara

    lferrara said:

    Daiquin,

    Can you share you site to site configuration? Firewall rules? And also a traceroute outpu?

    Thanks

     

    configuration:

    Connection Type   :       Site-to-Site

    Policy:    i have checked it matches other end

    Action on VPN Restart: Respond Only

    Authentication Type: Preshared Key

    Local:  Wan interface     Remote: remote public ip

    Local

    Local Subnet:    10.18.0.0/16

    NATed LAN: Same as Local Lan address

    Local ID    local public ip address

    Remote

    Allow NAT Traversal :  not checked(it's gray out)

    Remote LAN Network: 10.188.1.0/24

    Remote ID:  remote local ip address or remote public ip address (tried both)

Reply
  • 0 in reply to lferrara

    lferrara said:

    Daiquin,

    Can you share you site to site configuration? Firewall rules? And also a traceroute outpu?

    Thanks

     

    configuration:

    Connection Type   :       Site-to-Site

    Policy:    i have checked it matches other end

    Action on VPN Restart: Respond Only

    Authentication Type: Preshared Key

    Local:  Wan interface     Remote: remote public ip

    Local

    Local Subnet:    10.18.0.0/16

    NATed LAN: Same as Local Lan address

    Local ID    local public ip address

    Remote

    Allow NAT Traversal :  not checked(it's gray out)

    Remote LAN Network: 10.188.1.0/24

    Remote ID:  remote local ip address or remote public ip address (tried both)

Children
No Data