<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#333333">
Hi,<br>
<br>
Now I can ping the server public adresse.<br>
<br>
server side
remote test client l2tp<br>
172.16.7.0 -- 88.191.35.181 -- 88.191.35.1 ----------------------
82.236.77.254 -- 82.236.77.42 -- 172.16.7.10<br>
<br>
The client take the adress 172.16.7.10 and can ping with any problems
all network 172.16.7.0. The client can also ping<br>
the remote public interface : 88.191.35.181 but can't ping 88.191.35.1
and anything on internet.<br>
<br>
any idea please ?<br>
Thanks<br>
<br>
reza.<br>
<br>
Reza ISSANY a écrit :
<blockquote cite="mid456D334C.7090001@laposte.net" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
Hi,<br>
<br>
The gateway have internet :<br>
root@integration:~# ping google.com<br>
PING google.com (72.14.207.99) 56(84) bytes of data.<br>
64 bytes from 72.14.207.99: icmp_seq=1 ttl=245 time=86.7 ms<br>
64 bytes from 72.14.207.99: icmp_seq=2 ttl=245 time=86.8 ms<br>
64 bytes from 72.14.207.99: icmp_seq=3 ttl=245 time=86.8 ms<br>
<br>
--- google.com ping statistics ---<br>
3 packets transmitted, 3 received, 0% packet loss, time 2000ms<br>
rtt min/avg/max/mdev = 86.775/86.828/86.857/0.243 ms<br>
<br>
and my iptable looks to be good :<br>
<br>
#!/bin/sh<br>
# reset des tables<br>
iptables -F<br>
<br>
#iptables-restore < /var/log/uiptables<br>
iptables -t filter -A INPUT -p all -j ULOG --ulog-prefix=DefaultDrop<br>
<br>
# default policy : DROP<br>
iptables -P INPUT DROP<br>
iptables -P OUTPUT DROP<br>
iptables -P FORWARD DROP<br>
<br>
# on accepte les paquets relatifs aux connexions deja ouvertes<br>
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT<br>
<br>
iptables -A INPUT -s 172.16.7.0/16 -j ACCEPT<br>
iptables -A FORWARD -s 172.16.7.0/16 -j ACCEPT<br>
<br>
# Autorisation des requetes DNS<br>
iptables -A INPUT -p udp --dport 53 -j ACCEPT<br>
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT<br>
<br>
# on accepte les requetes icmp<br>
iptables -A INPUT -i eth0 -p icmp -m state --state NEW -j ACCEPT<br>
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT<br>
<br>
# telnet<br>
iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT<br>
<br>
# ssh<br>
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT<br>
<br>
# ipsec vpn<br>
iptables -A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT<br>
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT<br>
# IKE negotiations<br>
iptables -A INPUT -p udp -m udp -i eth0 --dport 500 -j ACCEPT<br>
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT<br>
# ESP encryption & authentication<br>
iptables -A INPUT -p 50 -i eth0 -j ACCEPT<br>
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT<br>
# L2TP roadwarrior<br>
iptables -A INPUT -p udp -i eth0 --dport 1701 -j ACCEPT<br>
iptables -A OUTPUT -p udp -o eth0 --dport 1701 -j ACCEPT<br>
<br>
# accepte tout ce qui concerne l'interface loopback<br>
iptables -A INPUT -i lo -j ACCEPT<br>
iptables -A OUTPUT -o lo -j ACCEPT<br>
<br>
# on accepte ce qui sort vers l'exterieur<br>
iptables -A OUTPUT -o eth0 -j ACCEPT<br>
<br>
Any idea ?<br>
<br>
reza.<br>
<br>
Paul Wouters a écrit :
<blockquote
cite="midPine.LNX.4.64.0611281632200.18779@tla.xelerance.com"
type="cite">
<pre wrap="">On Tue, 28 Nov 2006, Reza ISSANY wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Here it is my ipsec verify command results :
root@integration:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Any idea to activate Internet on vpn l2tpd clients ?
</pre>
</blockquote>
<pre wrap=""><!---->
That looks good. Do the checks I asked you to do before:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">check
for firewall rules, check for NAT, and check if the gateway can reach the
internet
on its "l2tp pool" IP address using 'ping -I sourceip <a
class="moz-txt-link-abbreviated" href="http://www.google.com">www.google.com</a>'
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
Paul
</pre>
</blockquote>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>