Peter,<br><br>You were absolutely correct. Thank you so much! I was totally stressing on this one yesterday!<br><br>BTW - I'm sure I can find the info somewhere but, do you have any idea how I can MASQ everything but the IPSEC packets when the tunnels are on 2 discontiguous subnets?
<br><br>Thanks again for all your help.<br><br>-Robyn<br><br><div><span class="gmail_quote">On 6/26/07, <b class="gmail_sendername">Peter McGill</b> <<a href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>> wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> -----Original Message-----<br>> Date: Mon, 25 Jun 2007 14:10:16 -0700<br>> From: "Robyn Orosz" <
<a href="mailto:rorosz@gmail.com">rorosz@gmail.com</a>><br>> Subject: [Openswan Users] Unable to pass traffic on site-to-site VPN<br>> To: <a href="mailto:users@openswan.org">users@openswan.org</a><br>><br>> Hi,
<br>><br>> I am running into an intermittent issue where no traffic will<br>> pass on my<br>> site to site VPN. The tunnels are up but packets that match<br>> the subnets in<br>> the proposal do not enter the tunnel.
<br>><br>> Below I have replaced the local public IP address with<br>> <local-ip> and the<br>> remote public IP address with <remote-ip>.<br>><br>> Here is the ipsec.conf<br>> config setup
<br>> interfaces="ipsec0=eth0"<br>> nat_traversal=yes<br>> virtual_private="%v4:<a href="http://192.168.1.0/24,%v4:192.168.50.0/24">192.168.1.0/24,%v4:192.168.50.0/24</a>"
<br>> hidetos=yes<br>> syslog=daemon.debug<br>> plutodebug="all"<br><br>Set plutodebug=none or your logs will be virtually unreadable.<br><br>> There are also 2 masquerade rules that are supposed to
<br>> masquerade all other<br>> traffic that is not destined for the tunnel. They seem to be<br>> working fine.<br>> Internet traffic passes without issues.<br>><br>> 157 8715 MASQUERADE 0 -- any eth0
<a href="http://192.168.44.0/24">192.168.44.0/24</a><br>> !192.168.50.0/24<br>> 45 4092 MASQUERADE 0 -- any eth0 <a href="http://192.168.44.0/24">192.168.44.0/24</a><br>> !192.168.1.0/24<br><br>These iptables rules should not work. You will end up MASQing everything.
<br><br>Packets destined for internet will match first rule and get MASQ'd.<br>They will work correctly.<br><br>Packets destined for <a href="http://192.168.50.0/24">192.168.50.0/24</a> will not match first rule.<br>But will match second rule and get MASQ'd, this will break your pings, etc...
<br><br>Packets destined for <a href="http://192.168.1.0/24">192.168.1.0/24</a> will match the first rule and get<br>MASQ'd, breaking your pings etc...<br><br>You must have only one MASQ rule.<br><br>You will have to mark the ipsec packets then MASQ the unmarked packets.
<br><br>Peter<br><br></blockquote></div><br>