<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.16.1">
</HEAD>
<BODY>
Hi guys<BR>
<BR>
I did a setup of net-to-net vpn. From a host inside NETA I can ping on hosts on NETB. In NETB i can ping on NETA.<BR>
I can only use ICMP. If i try any other protocol, don't work.<BR>
<BR>
My firewall rule for allow this traffic is:<BR>
<BR>
$IPTABLES -A FORWARD -s NETA -d NETB -j ACCEPT<BR>
$IPTABLES -A FORWARD -s NETB -d NETA -j ACCEPT<BR>
<BR>
I did this test:<BR>
<BR>
<B>A: </B>Added a rule on firewall to log every thing between NETA and NETB. This rule is the first one in chain Forward.
<PRE>
$IPTABLES -A FORWARD -s NETA -d NETB -j LOG --log-level DEBUG --log-prefix "A->B: "
$IPTABLES -A FORWARD -s NETB -d NETA -j LOG --log-level DEBUG --log-prefix "B->A: "
<B>B:</B> Started tcpdump on wan interface in openswan/firewall server on NETB
<B>C:</B> From one host inside NETA, I stared a ping to a host in NETB
<B>D:</B> From one host inside NETA, I stared a nmap to a host in NETB
<B>E:</B> From one host inside NETA, I tryed a telnet to a host in NETB
Results:
On firewall logs, I saw only packets from test C
On tcpdump log, I saw:
for test C: echo request and echo replay packets
for test D: Only syn packets from NETA to NETB (no reply)
for test E: Only syn packets from NETA to NETB (no reply)
It look like that some traffic wasn't arrive to firewall, been blocked before arrive it.
Some one have any idea about how to solve this issue ?
Thanks a lot.
Fred
</PRE>
<BR>
<BR>
</BODY>
</HTML>