<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=544361414-13032008><FONT face=Arial
color=#0000ff size=2>Well, it's not a particularly strong firewall script,
but that's another issue.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=544361414-13032008><FONT face=Arial
color=#0000ff size=2>To fix your ipsec problem, you should change
this...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=544361414-13032008><FONT face=Arial
color=#0000ff size=2> iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0
-j ACCEPT</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=544361414-13032008><FONT face=Arial
color=#0000ff size=2>+ iptables -t nat -I POSTROUTING -o ${WAN} -d
10.8.13.113/32 -j ACCEPT<BR> iptables -t nat -A POSTROUTING -o ${WAN} -j
MASQUERADE<BR></DIV></FONT></SPAN>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Khan, Hammad Aslam
[mailto:raohammad@gmail.com] <BR><B>Sent:</B> March 12, 2008 5:44
PM<BR><B>To:</B> petermcgill@goco.net<BR><B>Cc:</B>
users@openswan.org<BR><B>Subject:</B> Re: [Openswan Users] Packets not passing
through Tunnel<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>I tried to make them work again(asper my understanding) but cldnt make it
happen;</DIV>
<DIV>may be you can help to edit this file :-) (that I've made to
configure firewall)... this can be a valuable asset to mailing list
too...</DIV>
<DIV> </DIV>
<DIV>##First we flush our current rules<BR> iptables -F<BR> iptables
-t nat -F</DIV>
<DIV> </DIV>
<DIV>##Setup default policies to handle unmatched traffic<BR> iptables -P
INPUT ACCEPT<BR> iptables -P OUTPUT ACCEPT<BR> iptables -P FORWARD
DROP</DIV>
<DIV> </DIV>
<DIV>##Copy and paste these examples ...<BR> export
LAN=eth1<BR> export WAN=eth0</DIV>
<DIV> </DIV>
<DIV>##Then we lock our services so they only work from the
LAN<BR> iptables -I INPUT 1 -i ${LAN} -j ACCEPT<BR> iptables -I
INPUT 1 -i lo -j ACCEPT<BR> iptables -A INPUT -p UDP --dport bootps -i !
${LAN} -j REJECT<BR> iptables -A INPUT -p UDP --dport domain -i ! ${LAN}
-j REJECT</DIV>
<DIV> </DIV>
<DIV>##(Optional) Allow access to our ssh server from the
WAN<BR> iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</DIV>
<DIV> </DIV>
<DIV>##Drop TCP / UDP packets to privileged ports<BR> iptables -A INPUT
-p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP<BR> iptables -A INPUT -p
UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</DIV>
<DIV> </DIV>
<DIV>##Finally we add the rules for NAT<BR> iptables -I FORWARD -i ${LAN}
-d <A href="http://10.5.0.0/255.255.0.0">10.5.0.0/255.255.0.0</A> -j
DROP<BR> iptables -A FORWARD -i ${LAN} -s <A
href="http://10.5.0.0/255.255.0.0">10.5.0.0/255.255.0.0</A> -j
ACCEPT<BR> iptables -A FORWARD -i ${WAN} -d <A
href="http://10.5.0.0/255.255.0.0">10.5.0.0/255.255.0.0</A> -j
ACCEPT<BR> iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</DIV>
<DIV> </DIV>
<DIV># allow IPsec IKE negotiations<BR>iptables -I INPUT -p udp
--sport 500 --dport 500 -j ACCEPT<BR>iptables -I OUTPUT -p udp --sport 500
--dport 500 -j ACCEPT<BR></DIV>
<DIV># ESP encryption and authentication<BR>iptables -I INPUT -p 50 -j
ACCEPT<BR>iptables -I OUTPUT -p 50 -j ACCEPT</DIV>
<DIV><BR>##Tell the kernel that ip forwarding is OK<BR> echo 1 >
/proc/sys/net/ipv4/ip_forward<BR> for f in
/proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</DIV>
<DIV> </DIV>
<DIV>##This is so when we boot we don't have to run the rules by
hand<BR> /etc/init.d/iptables save<BR> rc-update add iptables
default<BR> nano /etc/sysctl.conf</DIV>
<DIV> </DIV>
<DIV>##Add/Uncomment the following lines:<BR> net.ipv4.ip_forward =
1<BR> net.ipv4.conf.default.rp_filter = 1</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Regards,</DIV>
<DIV>Hammad<BR><BR></DIV>
<DIV class=gmail_quote>On Thu, Mar 13, 2008 at 2:07 AM, Peter McGill <<A
href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Two
problems here:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>First,
you cannot MASQ the ipsec packets, so...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t nat -I POSTROUTING -d <A href="http://10.8.13.113/32"
target=_blank>10.8.13.113/32</A> -j ACCEPT</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>before</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t nat -A POSTROUTING -s <A href="http://10.5.0.0/16"
target=_blank>10.5.0.0/16</A> -j MASQUERADE</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Second,
you cannot drop all packets to local and expect remote to get
through...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>So,
change your forward chain...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>remove
this rule</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t filter -A FORWARD -d <A href="http://10.5.0.0/16"
target=_blank>10.5.0.0/16</A> -j DROP</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>(This
one might have additional options limiting what it drops, making it
ok,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>but I
cannot tell without the -v (--verbose) flag on
iptables.)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>P.S. you
didn't actually show us your full rules here, next time you might try
this:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t filter -L -n -v</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t nat -L -n -v</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t mangle -L -n -v</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2>
<DIV class=Ih2E3d><B>From:</B> Khan, Hammad Aslam [mailto:<A
href="mailto:raohammad@gmail.com" target=_blank>raohammad@gmail.com</A>]
<BR></DIV><B>Sent:</B> March 12, 2008 4:43 PM
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c><BR><B>To:</B> <A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re: [Openswan
Users] Packets not passing through Tunnel<BR></DIV></DIV></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>
<DIV></DIV>
<DIV>and what do you comment about my firewall settings?</DIV>
<DIV>Attached is more Formatted one... thanking in anticipation</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Table: nat<BR>Chain PREROUTING (policy ACCEPT)<BR>num
target prot opt
source
destination</DIV>
<DIV>Chain POSTROUTING (policy ACCEPT)<BR>num
target prot opt
source
destination<BR>1 MASQUERADE all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0" target=_blank>0.0.0.0/0</A></DIV>
<DIV>Chain OUTPUT (policy ACCEPT)<BR>num
target prot opt
source
destination</DIV>
<DIV>Table: filter<BR>Chain INPUT (policy ACCEPT)<BR>num
target prot opt
source
destination<BR>1 ACCEPT
esp -- <A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>2
ACCEPT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp spt:500 dpt:500<BR>3 ACCEPT
all -- <A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>4
ACCEPT all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>5
REJECT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp dpt:67 reject-with icmp-port-unreachable<BR>6
REJECT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp dpt:53 reject-with icmp-port-unreachable<BR>7
ACCEPT tcp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
tcp dpt:22<BR>8 DROP
tcp -- <A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
tcp dpts:0:1023<BR>9
DROP udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp dpts:0:1023</DIV>
<DIV>Chain FORWARD (policy DROP)<BR>num
target prot opt
source
destination<BR>1
DROP all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://10.5.0.0/16"
target=_blank>10.5.0.0/16</A><BR>2
ACCEPT all -- <A
href="http://10.5.0.0/16"
target=_blank>10.5.0.0/16</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>3
ACCEPT all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://10.5.0.0/16" target=_blank>10.5.0.0/16</A></DIV>
<DIV>Chain OUTPUT (policy ACCEPT)<BR>num
target prot opt
source
destination<BR>1 ACCEPT
esp -- <A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>2
ACCEPT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp spt:500 dpt:500</DIV>
<DIV><BR><BR> </DIV>
<DIV class=gmail_quote>On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill
<<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>No,
that should be working if ISAKMP SA and IPSec SA
established.</FONT></SPAN></DIV>
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>>
<SPAN><FONT face=Arial color=#0000ff size=2>A ping from <A
href="http://10.5.125.105/" target=_blank>10.5.125.105</A> to <A
href="http://10.8.13.113/" target=_blank>10.8.13.113</A> and vise-versa
should work.</FONT></SPAN></FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV></DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT
face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2>
<DIV><B>From:</B> Khan, Hammad Aslam [mailto:<A
href="mailto:raohammad@gmail.com"
target=_blank>raohammad@gmail.com</A>] <BR></DIV><B>Sent:</B> March
12, 2008 11:48 AM
<DIV>
<DIV></DIV>
<DIV><BR><B>To:</B> <A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re: [Openswan
Users] Packets not passing through
Tunnel<BR></DIV></DIV></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>ok thanks but if i dont want my gateway to talk to remote
private. Instead I just want to access remote private from my-private;
will I be required to make changes even in that
case?<BR><BR>rgds,<BR>Hammad<BR><BR>
<DIV class=gmail_quote>On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill
<<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>You cannot use route add or ip route add with openswan,
you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>must specify the traffic which uses the tunnel in
left/rightsubnet(s).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>To clarify where are you pinging/telneting
from?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>A ping from <A href="http://10.5.125.105/"
target=_blank>10.5.125.105</A> to <A href="http://10.8.13.113/"
target=_blank>10.8.13.113</A> and vise-versa should
work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>A ping from <A href="http://10.5.125.100/"
target=_blank>10.5.125.100</A> or <A href="http://58.58.58.58/"
target=_blank>58.58.58.58</A> will not work because
you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>have not included them in leftsubnet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Likewise a ping from <A href="http://202.202.202.202/"
target=_blank>202.202.202.202</A> or ?.?.?.? to 10.5.. will not
work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Pings to 58... and 202... will work but not encrypted, plain
internet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>If you want your gateway to be able to communicate with
remote private</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>also, then change your conn as follows:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN> <FONT face=Arial
color=#0000ff size=2>leftsourceip=<A href="http://10.5.125.100/"
target=_blank>10.5.125.100</A> # gw will use this instead of 58...
to talk to rem. priv.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN> <FONT face=Arial
color=#0000ff size=2>leftsubnet=<A href="http://10.5.125.96/28"
target=_blank>10.5.125.96/28</A> # you'll need to change subnet
on cisco too</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT
face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> Khan, Hammad Aslam
[mailto:<A href="mailto:raohammad@gmail.com"
target=_blank>raohammad@gmail.com</A>] <BR><B>Sent:</B> March 12,
2008 2:11 AM<BR><B>To:</B> <A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re:
[Openswan Users] Packets not passing through
Tunnel<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>
<DIV>I already have enabled ip forwarding; </DIV>
<DIV>My Setup is like;<BR><BR><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">my
private
my gateway
<<pub</SPAN>lic>> remote
gw (cisco vpn
3000)
remote private</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">--------
-----------------------------------------</SPAN>
-------------------------------
----------------------</SPAN><BR
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
|</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)"> <A
href="http://10.5.125.105/" target=_blank>10.5.125.105</A>
=== 10.5.125.100(eth1) (eth0)58.58.58.58
>></SPAN><B style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">></SPAN><</B><SPAN
style="COLOR: rgb(102,0,204)"><< <A
href="http://202.202.202.202/"
target=_blank>202.202.202.202</A>
?.?.?.? ==== <A href="http://10.8.13.113/"
target=_blank>10.8.13.113</A> |</SPAN><BR
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"> <SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
| </SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">-------
----------------------------------------- </SPAN>
------------------------------
----------------------</SPAN><BR
style="COLOR: rgb(102,0,204)"><BR><BR><B>My Config
file</B><BR>config
setup<BR>
interfaces="ipsec0=eth0"<BR>
plutodebug="all"<BR>
nat_traversal=yes<BR><BR>conn
nattelenor<BR>
type=tunnel<BR>
authby=secret
# secret key<BR>
auth=esp<BR>
pfs=no<BR>
keylife=28800<BR>
keyingtries=3<BR>
auto=add<BR>
ike=3des-md5-modp1024<BR>
esp=3des-md5<BR>
left=<A href="http://58.58.58.58/" target=_blank>58.58.58.58</A>
# my external, internet-routable ip address, provided by NAT
box=<BR>
leftsubnet=<A href="http://10.5.125.105/32"
target=_blank>10.5.125.105/32</A><BR>
right=<A href="http://202.202.202.202/"
target=_blank>202.202.202.202</A>
# my peer's external, internet-routable ip
address=<BR>
rightsubnet=<A href="http://10.8.13.113/32"
target=_blank>10.8.13.113/32</A><BR>
<BR>#Disable Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR><BR><B>My ipsec verify
result</B><BR><BR>Checking your system to see if IPsec got
installed and started correctly:<BR>Version check and ipsec
on-path
[OK]<BR>Linux Openswan U2.4.9/K2.6.18-1.2798.fc6
(netkey)<BR>Checking for IPsec support in
kernel
[OK]<BR>NETKEY detected, testing for disabled ICMP
send_redirects
[FAILED]<BR><BR> Please disable
/proc/sys/net/ipv4/conf/*/send_redirects<BR> or NETKEY will
cause the sending of bogus ICMP redirects!<BR><BR>NETKEY detected,
testing for disabled ICMP accept_redirects
[FAILED]<BR><BR> Please disable
/proc/sys/net/ipv4/conf/*/accept_redirects<BR> or NETKEY
will accept bogus ICMP redirects!<BR><BR>Checking for RSA private
key
(/etc/ipsec.secrets)
[OK]<BR>Checking that pluto is
running
[OK]<BR>Two or more interfaces found, checking IP
forwarding
[OK]<BR>Checking NAT and
MASQUERADEing
[OK]<BR>Checking for 'ip'
command
[OK]<BR>Checking for 'iptables'
command
[OK]<BR>Opportunistic Encryption
Support
[DISABLED]<BR><BR><BR>Regards,<BR>Hammad<BR><BR><BR></DIV>
<DIV class=gmail_quote>On Tue, Mar 11, 2008 at 10:56 PM, Peter
McGill <<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Did you add leftsourceip=leftlanip and
rightsourceip=rightlanip?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Without them you can only ping hosts other than the ipsec
gateway,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>on the remote lan, and only from hosts on the local lan
not the local</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>ipsec gateway.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Show us your ipsec.conf and ipsec
verify.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter
McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A> [mailto:<A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A>] <B>On Behalf Of
</B>Khan, Hammad Aslam<BR><B>Sent:</B> March 11, 2008 1:45
PM<BR><B>To:</B> <A href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B>
[Openswan Users] Packets not passing through
Tunnel<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>Hello everyone,<BR>My tunnel has been successfully
established (both ISAKMP and IPSEC are UP);<BR>but when I try
to ping/telnet remote end's private network PC i dont get any
response.,<BR><BR>Using <B>tcpdump -i eth0 </B>(which is my
public interface of GW) it shows that GW is querying internet
for remote-private-nw using ARP. No ESP packets are
seen...<BR><BR>I added a route of <BR># route add
<remote-private-ip> gw
<remote-public-ip><BR>...but still, i see the same
result?<BR><BR>Please
help.<BR><BR>Regards,<BR>Hammad<BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>