<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16587" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=613091819-31012008><FONT face=Arial
color=#0000ff size=2>If your Linux server that Openswan is on does NAT or
MASQUERADING then they may interfere with your IPSec
traffic.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=613091819-31012008><FONT face=Arial
color=#0000ff size=2>Typically a server does NAT or MASQERADING when it has one
public internet ip which it wants to share access with the
LAN.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=613091819-31012008><FONT face=Arial
color=#0000ff size=2>I'm not sure what the N/A means, perhaps you don't have any
NAT rules?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=613091819-31012008><FONT face=Arial
color=#0000ff size=2>The following will disable any NAT rules for the IPSec
traffic.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=613091819-31012008><FONT face=Arial
color=#0000ff size=2>iptables -t nat -I POSTROUTING -s <local subnet, ie:
192.168.1.0/24> -d <remote subnet, ie: 192.168.2.0/24> -j
ACCEPT</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=613091819-31012008><FONT face=Arial
color=#0000ff size=2>The -I inserts the rule before any other SNAT or MASQUERADE
rules which may change the packets, and the</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=613091819-31012008><FONT face=Arial
color=#0000ff size=2>rule itself exempts the matching packets from any further
rules in the chain.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Arjun
Datta<BR><B>Sent:</B> January 30, 2008 2:37 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] ipsec verify
question<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial size=2><SPAN class=546423119-30012008>Hi
Folks,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=546423119-30012008></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=546423119-30012008>#ipsec verify
gives me the following</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=546423119-30012008></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=546423119-30012008>[root@fw etc]#
ipsec verify<BR>Checking your system to see if IPsec got installed and started
correctly:<BR>Version check and ipsec
on-path
[OK]<BR>Linux Openswan U2.4.7/K2.6.23.12-52.fc7 (netkey)<BR>Checking for IPsec
support in
kernel
[OK]<BR>NETKEY detected, testing for disabled ICMP
send_redirects [OK]<BR>NETKEY detected,
testing for disabled ICMP accept_redirects
[OK]<BR>Checking for RSA private key
(/etc/ipsec.d/hostkey.secrets) [OK]<BR>Checking that
pluto is
running
[OK]<BR>Two or more interfaces found, checking IP
forwarding
[OK]<BR>Checking NAT and
MASQUERADEing
[N/A]<BR>Checking for 'ip'
command
[OK]<BR>Checking for 'iptables'
command
[OK]<BR>Opportunistic Encryption
Support
[DISABLED]<BR></SPAN></FONT></DIV>
<DIV><SPAN class=546423119-30012008><FONT face=Arial size=2>NAT and MASQ'ing
is N/A - how can I correct this ? More importantly, is this what would
prevent me from being able to ping the subnet behind this end of the tunnel
from the other side ?</FONT></SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=546423119-30012008>My ipsec tunnel is
up and running, I think, as evidenced by this output from ipsec auto
--status:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=546423119-30012008> <snip><BR>......<BR>000 #7:
"conn_name":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3279s; newest ISAKMP; nodpd</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=546423119-30012008></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial><FONT size=2><SPAN
class=546423119-30012008>Thanks</SPAN>,</FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2>Arjun
Datta</FONT></DIV></BLOCKQUOTE></BODY></HTML>