Hello Maqbool, setting leftsourceip to something makes charon request a virtual IP from the remote peer. So that means, that the remote peer seems to be configured for config mode (IKEv1) or to respond with a configuration payload with an IP address to the initiator. That doesn't make sense in a site-to-site scenario. Charon is perfectly capable of figuring out the correct source IP address by itself.
> Now I have some routing issues as I am not able to ping the remote. That probably has to do with there being a SNAT or MASQUERADE rule or generally wrong iptables rules. Read [1] [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling On 14.02.2017 20:58, Maqbool Patel wrote: > I tried ikev1 and the tunnel got established. > Noel, I removed the leftsourceip line, it will not establish the tunnel. > > Now I have some routing issues as I am not able to ping the remote. > > -maqbool > > On Tue, Feb 14, 2017 at 11:10 AM, Noel Kuntze <[email protected] > <mailto:[email protected]>> wrote: > > Hello Maqbool, > > > leftsourceip=10.0.0.33 > > Remove that. Then retry. > > And use auto=route instead of auto=start. > See the article about security recommendations[1] for reasons why > and opportunities to significantly improve in your setup. > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations > <https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations> > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
