StrongSwan: Difference between revisions

Line 204:

Ignore any failed directories. We do not use these in this configuration. You will be checking the files in the <code>x509</code>, <code>x509ca</code> and <code>ecdsa</code> files have loaded correctly, as they have above. You should also have 1 pool and 1 connection at this point.

== Configuring <code>iptables</code> ==

So that the packets are routed to the correct place, <code>iptables</code> should be configured or no traffic will flow through the tunnel. In this case, we are forwarding all traffic to/from the tunnel. First, we need some information to correctly configure <code>iptables</code>

* Find out the name of the network interface under Linux that you are using for the tunnel. This can be done by typing:

ip a

* This returns all the network cards on the computer like this:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000

link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

inet 192.168.1.0/24 brd 192.168.1.255 scope global eth1

valid_lft forever preferred_lft forever

inet6 fe80::0000:0000:0000:0000/64 scope link

valid_lft forever preferred_lft forever

* In this case, we are using <code>eth1</code>. Remember this for later.

* Look in the <code>pool</code> section we created earlier in <code>/etc/swanctl/swanctl.conf</code>. In this setup it is <code>10.1.0.0/16</code>. Remember this for later.

Now we have the correct information, type the following into a terminal (as a superuser):

iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -m policy --pol ipsec --dir out -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -j MASQUERADE

Make sure to change the IP address range to the one from your pool and the network interface for the correct one in your case.

= Configuring Windows =

@@ Line 204: / Line 204: @@
 Ignore any failed directories. We do not use these in this configuration. You will be checking the files in the <code>x509</code>, <code>x509ca</code> and <code>ecdsa</code> files have loaded correctly, as they have above. You should also have 1 pool and 1 connection at this point.
+== Configuring <code>iptables</code> ==
+So that the packets are routed to the correct place, <code>iptables</code> should be configured or no traffic will flow through the tunnel. In this case, we are forwarding all traffic to/from the tunnel. First, we need some information to correctly configure <code>iptables</code>
+* Find out the name of the network interface under Linux that you are using for the tunnel. This can be done by typing:
+ ip a
+* This returns all the network cards on the computer like this:
+: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+     inet 127.0.0.1/8 scope host lo
+        valid_lft forever preferred_lft forever
+     inet6 ::1/128 scope host
+        valid_lft forever preferred_lft forever
+: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
+     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
+: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+     link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
+     inet 192.168.1.0/24 brd 192.168.1.255 scope global eth1
+        valid_lft forever preferred_lft forever
+     inet6 fe80::0000:0000:0000:0000/64 scope link
+        valid_lft forever preferred_lft forever
+* In this case, we are using <code>eth1</code>. Remember this for later.
+* Look in the <code>pool</code> section we created earlier in <code>/etc/swanctl/swanctl.conf</code>. In this setup it is <code>10.1.0.0/16</code>. Remember this for later.
+Now we have the correct information, type the following into a terminal (as a superuser):
+  iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -m policy --pol ipsec --dir out -j ACCEPT
+  iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -j MASQUERADE
+Make sure to change the IP address range to the one from your pool and the network interface for the correct one in your case.
 = Configuring Windows =