Re: [strongSwan] IPsec drop policies 2

Mon, 20 Jan 2020 12:30:36 -0800 

Hello,

Use priority = 3 instead of priority = 1 and try it.

Kind regards

Noel

Am 20.01.20 um 17:48 schrieb reterverv ercertecrterc:
>  Hello.
> 
> I have now following configuration. The connection is blocked before the 
> configuration is started. That is also correct.
> 
> But when the connection is established, then I have no internet connection.
> 
> What is missing in the configuration?
> 
> Best regards
> 
> Bernd
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> connections {
>       dropall {
>               children {
>                       dropall {
>                               local_ts = 0.0.0.0/0
>                               remote_ts = 0.0.0.0/0
>                               priority = 2
>                               mode = drop
>                               start_action = trap
>                       }
>               }
>       }
>       lan-passthrough {
>               children {
>                       lan-passthrough {
>                               local_ts = 192.168.1.0/24 # Replace with your 
> LAN subnet
>                               remote_ts = 192.168.1.0/24 # Replace with your 
> LAN subnet
>                               priority = 1
>                               mode = pass
>                               start_action = trap
>                       }
>               }
>       }
>       pp {
>               unique = never
>               version = 2
>               keyingtries=0
>               dpd_delay = 300s
>               rekey_time = 0
>               encap = yes
>               proposals = aes256-sha256-modp2048
>               vips = 0.0.0.0
>               send_cert = never
>               send_certreq = yes
>               local_addrs = 192.168.1.1 # Replace with your default Router IP 
> address
>               remote_addrs = <PP Server IP> # Replace with your PP Server IP
> 
>               local {
>                       id = 192.168.1.1 # Replace with your default Router IP 
> address
>                       auth = eap-mschapv2
>                       eap_id = Username # Replace with your PP-Username
>               }
>               remote {
>                       id = %any
>                       auth = pubkey
>               }
>               children {
>                       pp {
>                               dpd_action = start
>                               close_action = start
>                               inactivity = 36000s
>                               life_time = 0
>                               esp_proposals = aes256-sha256
>                               updown = /etc/swanctl/updown.sh
>                               remote_ts = 0.0.0.0/0
>                               priority = 1
>                               mode = tunnel
>                               start_action = none # "none" is for manual 
> start, or use "start" for autostart
>                       }
>               }
>       }
> } # connections
> secrets {
>       eap-user {
>               id = Username # Replace with your PP-Username
>               secret = "Password" # Replace with your "PP-Password"
>       }
> } # secrets
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to