Hello Wesley, Your iptables rules probably SNAT or MASQUERADE new connections out of your public interface, which causes it to not match the negotiated policies anymore. The article about Forwarding and split tunneling[1] elaborates on that and shows you a rule to fix that.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems On 11.04.2018 16:39, Wesley Rabelo de Oliveira wrote: > Good morning, > > First of all, I apologize for my English. I'm using google translator. > > I'm eating now with strongswan and I'm encountering a problem I can not > solve. I'm closing a VPN Ipsec strongswan with Google Cloud ... at first the > connection is established on both sides, but I'm encountering problems in the > communication between the connections, I can ping and access everything when > I'm on the side of the google cloud instance, but when I'm on the strongswan > side I can not do anything and when I run cmomando ipsec statusall I verify > that the tunnel is OK. > My question is is there any specific route that I should create? or the > routes when the tunnel is established are created automatically. > > Follows my narration for analysis. > > Google Cloud > ip public: 35.196.XX.XXX > Network: 192.168.3.0/24 <http://192.168.3.0/24> > > Firewall Debin (Strongswan) > ip public: 187.32.XX.XXX > Network: 192.168.0.0/24 <http://192.168.0.0/24> > interface int: 192.168.0.254 > > > #my ipsec.conf > > conn myconn > fragmentation = yes > keyexchange = ikev1 > reauth = yes > forceencaps = no > rekey = yes > installpolicy = yes > type = tunnel > dpdaction=restart > dpddelay = 10s > dpdtimeout = 60s > auto = route > authby=secret > left = %any > right = 35.196.XX.XXX > leftid = 187.32.XX.XXX > ikelifetime = 28800s > lifetime = 3600s > ike = aes128-sha1-modp1024,3des-sha1-modp1024! > esp = aes128-sha1-modp1024,3des-sha1-modp1024! > leftauth = psk > rightauth = psk > rightid = 35.196.XX.XXX > aggressive = no > rightsubnet = 192.168.3.0/24 <http://192.168.3.0/24> > leftsubnet = 192.168.0.0/24 <http://192.168.0.0/24> > > > Thanks... > > > -- > Wesley R. de Oliveira >
