I'm trying to setup this scenario with goal of full subnet-to-subnet connectivity:
.--------------. .--------------. .--------------.
| linux |--- LAN1 ---| NATing |--- INTERNET ---| Cisco |--- LAN2
| strongSwan | 172.x.x.x | ROUTER | | RV130 | 192.168.a.a
| VPN gateway | | | | |
'--------------' '--------------' '--------------'
172.y.y.y 192.168.b.b
The Cisco RV130 connects to the VPN gateway just fine, and the tunnel is established:
# strongswan statusall
subnet-subnet: child: 172.x.x.x/16 === 192.168.a.a/24 TUNNEL, dpdaction=clear
subnet-subnet{193}: 172.x.x.x/16 === 192.168.a.a/24
But there's no traffic through the tunnel. Ping fails on both sides, other protocols (ARP, SSH, HTTP) also.
My iptables on the strongSwan server:
-A FORWARD -s 192.168.a.a/24 -d 172.x.x.x/16 -i eth0 -m policy --dir in --pol ipsec --reqid 62 --proto esp -j ACCEPT
-A FORWARD -s 172.x.x.x/16 -d 192.168.a.a/24 -o eth0 -m policy --dir out --pol ipsec --reqid 62 --proto esp -j ACCEPT
I should also mention, that the strongSwan server successfully manages to provide VPN for many subnet-client connections.
strongswan.conf:
[...]
conn subnet-subnet
auto=add
compress=no
type=tunnel
keyexchange=ikev1
fragmentation=yes
ike=aes256-sha256-modp1024,3des-sha1-modp1024!
esp=aes256-sha256-modp1024,3des-sha1!
dpdaction=clear
dpddelay=300s
left=%defaultroute
leftid=@<the fqdn>
leftfirewall=yes
leftcert=servcert.der
leftsendcert=always
leftsubnet=172.x.x.x/16
right=<public IP of the RV130>
rightid=<public IP of the RV130>
rightsubnet=192.168.a.a/24
authby=secret
What am I doing wrong?
