This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ipsec site to site connection with strongswan behind nat, can't access remote

I have setup an ipsec site to site connection with strongswan on the other end behind nat. Currently i can't access remote resource while i can access local resources from remote.

Tcp dump seems the packet is send to remote end.

15:38:39.245009 Port1, IN: IP local_client_ip > remote_public_ip: ICMP echo request, id 517, seq 1, length 64
15:38:39.245071 ipsec0, OUT: IP local_public_ip > remote_public_ip: ICMP echo request, id 517, seq 1, length 64

But i can't find any thing in the other end.

This thread was automatically locked due to age.

Parents

0 lferrara over 8 years ago

Daiquin,

Can you share you site to site configuration? Firewall rules? And also a traceroute outpu?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 daiqingxu over 8 years ago in reply to lferrara

Firewall rules:

Accept any service going to "LAN" zone, when in "VPN" zone, and coming from any networkand log connections, then apply IPS policies

IPS policies: DMZ TO LAN

Accept any service going to "VPN" zone, when in "LAN" zone, and coming from any networkand log connections, then apply IPS policies

IPS policies: LAN TO DMZ
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 daiqingxu over 8 years ago in reply to lferrara

Firewall rules:

Accept any service going to "LAN" zone, when in "VPN" zone, and coming from any networkand log connections, then apply IPS policies

IPS policies: DMZ TO LAN

Accept any service going to "VPN" zone, when in "LAN" zone, and coming from any networkand log connections, then apply IPS policies

IPS policies: LAN TO DMZ
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data