Salut Jean-Paul! > A tcpdump on LAN interface Debian box shows the icmp request packets. > A tcpdump on Public interface Debian box shows no icmp request packet.
I have a similar setup here at our site. Regarding tcpdump you should see: - An outgoing ESP packet. (icmp request encrypted) - An incoming ESP packet. (icmp reply encrypted) - An incoming ICMP echo reply unencrypted. I admit that there's an asymmetry. One might expect to see a plaintext outgoing ICMP echo request. But that's a feature of the Linux kernel. The fact that your traffic doesn't go through appears like a firewall problem to me. Here are some examples from my setup: # Make sure not to block traffic handled by IPsec iptables -A FORWARD -s 192.168.99.0/24 -m policy --dir out --pol ipsec -j ACCEPT iptables -A FORWARD -d 192.168.99.0/24 -m policy --dir in --pol ipsec -j ACCEPT iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT iptables -A OUTPUT -m policy --dir out --pol ipsec -j ACCEPT # Do not mess with packets comming over IPSec # Put those rules at the very top iptables -t nat -A PREROUTING -m policy --dir in --pol ipsec -j ACCEPT iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT # Accept ESP traffic from ppp0 iptables -A INPUT -i ppp0 -p esp -j ACCEPT # Allow outgoing ESP traffic on ppp0 iptables -A OUTPUT -o ppp0 -p esp -j ACCEPT Let me know it works for you. Bonne chance! -Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
