On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote: > On 2018-07-24 06:51, Tobias Brunner wrote:Hi James, > So I moved to Strongswan 5.6.2 during a distribution upgrade. > What distribution? What was the previous version? Do you still > havethe same plugins installed and enabled? > My simplesetup no longer routes back to the client (I can see the > incoming pingson the server, but nothing goes back). I establish a > tunnel fine...mysetup looks like this: > > external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet > all I need is to have a connected device able to > access192.168.1.1...and it's only a single user. > Please read [1]. From the involved IPs I guess you used the farp > pluginbefore, so make sure you still have that installed and loaded. > Regards,Tobias > [1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAnd > SplitTunneling > Thanks Tobias...I have access to the old server so I'll see what's > there...I don't recall installing any other plugins, but we shall > see. I'll report my findings soon..thanks again. > James
So now I'm super confused. I changed to the below: conn rw leftsubnet=192.168.1.0/24 leftcert=StrongSwanHostCert.pem right=%any rightsourceip=172.16.0.1 auto=add and added the below top 2 postrouting nat rules: pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec 0 0 MASQUERADE all -- * enp0s31f6 172.16.0.1 0.0.0.0/0 24519 1646K MASQUERADE all -- * ppp0 192.168.1.0/24 0.0.0.0/0 However when I attempt to ping, I see the ping on the ppp0 interface, and the source isn't 172.16.0.1: 2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100 Echo (ping) request id=0x0004, seq=1/256, ttl=64 Not exactly sure where to go next. I did install the extra plugins that include farp as well. Thank you. James