<div>Its working for <a href="http://10.8.13.113/32">10.8.13.113/32</a> now. And packets are now encapsulated in ESP</div>
<div> </div>
<div>Now last problem; when i put <a href="http://172.18.114.244/32">172.18.114.244/32</a> (actual required remote private) in this place in both iptables and ipsec.conf; I know this is pointless - but even tried several things; its not encapsulating any PING to 172.... instead its using general gateway for it??</div>
<div> </div>
<div>rgds,<br><br></div>
<div class="gmail_quote">On Thu, Mar 13, 2008 at 7:18 PM, Peter McGill <<a href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Well, it's not a particularly strong firewall script, but that's another issue.</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">To fix your ipsec problem, you should change this...</font></span></div>
<div class="Ih2E3d">
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2"> iptables -A FORWARD -i ${WAN} -d <a href="http://10.5.0.0/255.255.0.0" target="_blank">10.5.0.0/255.255.0.0</a> -j ACCEPT</font></span></div>
</div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">+ iptables -t nat -I POSTROUTING -o ${WAN} -d <a href="http://10.8.13.113/32" target="_blank">10.8.13.113/32</a> -j ACCEPT
<div class="Ih2E3d"><br> iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE<br></div></font></span></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<div lang="en-us" dir="ltr" align="left">
<hr>
<font face="Tahoma" size="2">
<div class="Ih2E3d"><b>From:</b> Khan, Hammad Aslam [mailto:<a href="mailto:raohammad@gmail.com" target="_blank">raohammad@gmail.com</a>] <br></div><b>Sent:</b> March 12, 2008 5:44 PM
<div>
<div></div>
<div class="Wj3C7c"><br><b>To:</b> <a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a><br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Packets not passing through Tunnel<br>
</div></div></font><br></div>
<div>
<div></div>
<div class="Wj3C7c">
<div></div>
<div>I tried to make them work again(asper my understanding) but cldnt make it happen;</div>
<div>may be you can help to edit this file :-) (that I've made to configure firewall)... this can be a valuable asset to mailing list too...</div>
<div> </div>
<div>##First we flush our current rules<br> iptables -F<br> iptables -t nat -F</div>
<div> </div>
<div>##Setup default policies to handle unmatched traffic<br> iptables -P INPUT ACCEPT<br> iptables -P OUTPUT ACCEPT<br> iptables -P FORWARD DROP</div>
<div> </div>
<div>##Copy and paste these examples ...<br> export LAN=eth1<br> export WAN=eth0</div>
<div> </div>
<div>##Then we lock our services so they only work from the LAN<br> iptables -I INPUT 1 -i ${LAN} -j ACCEPT<br> iptables -I INPUT 1 -i lo -j ACCEPT<br> iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT<br> iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT</div>
<div> </div>
<div>##(Optional) Allow access to our ssh server from the WAN<br> iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT</div>
<div> </div>
<div>##Drop TCP / UDP packets to privileged ports<br> iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP<br> iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</div>
<div> </div>
<div>##Finally we add the rules for NAT<br> iptables -I FORWARD -i ${LAN} -d <a href="http://10.5.0.0/255.255.0.0" target="_blank">10.5.0.0/255.255.0.0</a> -j DROP<br> iptables -A FORWARD -i ${LAN} -s <a href="http://10.5.0.0/255.255.0.0" target="_blank">10.5.0.0/255.255.0.0</a> -j ACCEPT<br>
iptables -A FORWARD -i ${WAN} -d <a href="http://10.5.0.0/255.255.0.0" target="_blank">10.5.0.0/255.255.0.0</a> -j ACCEPT<br> iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE</div>
<div> </div>
<div># allow IPsec IKE negotiations<br>iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT<br>iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT<br></div>
<div># ESP encryption and authentication<br>iptables -I INPUT -p 50 -j ACCEPT<br>iptables -I OUTPUT -p 50 -j ACCEPT</div>
<div><br>##Tell the kernel that ip forwarding is OK<br> echo 1 > /proc/sys/net/ipv4/ip_forward<br> for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</div>
<div> </div>
<div>##This is so when we boot we don't have to run the rules by hand<br> /etc/init.d/iptables save<br> rc-update add iptables default<br> nano /etc/sysctl.conf</div>
<div> </div>
<div>##Add/Uncomment the following lines:<br> net.ipv4.ip_forward = 1<br> net.ipv4.conf.default.rp_filter = 1</div>
<div> </div>
<div> </div>
<div>Regards,</div>
<div>Hammad<br><br></div>
<div class="gmail_quote">On Thu, Mar 13, 2008 at 2:07 AM, Peter McGill <<a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Two problems here:</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">First, you cannot MASQ the ipsec packets, so...</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">iptables -t nat -I POSTROUTING -d <a href="http://10.8.13.113/32" target="_blank">10.8.13.113/32</a> -j ACCEPT</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">before</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">iptables -t nat -A POSTROUTING -s <a href="http://10.5.0.0/16" target="_blank">10.5.0.0/16</a> -j MASQUERADE</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Second, you cannot drop all packets to local and expect remote to get through...</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">So, change your forward chain...</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">remove this rule</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">iptables -t filter -A FORWARD -d <a href="http://10.5.0.0/16" target="_blank">10.5.0.0/16</a> -j DROP</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">(This one might have additional options limiting what it drops, making it ok,</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">but I cannot tell without the -v (--verbose) flag on iptables.)</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">P.S. you didn't actually show us your full rules here, next time you might try this:</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">iptables -t filter -L -n -v</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">iptables -t nat -L -n -v</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">iptables -t mangle -L -n -v</font></span></div>
<div> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<div lang="en-us" dir="ltr" align="left">
<hr>
<font face="Tahoma" size="2">
<div><b>From:</b> Khan, Hammad Aslam [mailto:<a href="mailto:raohammad@gmail.com" target="_blank">raohammad@gmail.com</a>] <br></div><b>Sent:</b> March 12, 2008 4:43 PM
<div>
<div></div>
<div><br><b>To:</b> <a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a><br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Packets not passing through Tunnel<br>
</div></div></font><br></div>
<div>
<div></div>
<div>
<div></div>
<div>and what do you comment about my firewall settings?</div>
<div>Attached is more Formatted one... thanking in anticipation</div>
<div> </div>
<div> </div>
<div>Table: nat<br>Chain PREROUTING (policy ACCEPT)<br>num target prot opt source destination</div>
<div>Chain POSTROUTING (policy ACCEPT)<br>num target prot opt source destination<br>1 MASQUERADE all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div>
<div>Chain OUTPUT (policy ACCEPT)<br>num target prot opt source destination</div>
<div>Table: filter<br>Chain INPUT (policy ACCEPT)<br>num target prot opt source destination<br>1 ACCEPT esp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
2 ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:500 dpt:500<br>3 ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
4 ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>5 REJECT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:67 reject-with icmp-port-unreachable<br>
6 REJECT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:53 reject-with icmp-port-unreachable<br>7 ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:22<br>
8 DROP tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpts:0:1023<br>9 DROP udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpts:0:1023</div>
<div>Chain FORWARD (policy DROP)<br>num target prot opt source destination<br>1 DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://10.5.0.0/16" target="_blank">10.5.0.0/16</a><br>
2 ACCEPT all -- <a href="http://10.5.0.0/16" target="_blank">10.5.0.0/16</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>3 ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://10.5.0.0/16" target="_blank">10.5.0.0/16</a></div>
<div>Chain OUTPUT (policy ACCEPT)<br>num target prot opt source destination<br>1 ACCEPT esp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
2 ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:500 dpt:500</div>
<div><br><br> </div>
<div class="gmail_quote">On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill <<a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">No, that should be working if ISAKMP SA and IPSec SA established.</font></span></div>
<div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">> <span><font face="Arial" color="#0000ff" size="2">A ping from <a href="http://10.5.125.105/" target="_blank">10.5.125.105</a> to <a href="http://10.8.13.113/" target="_blank">10.8.13.113</a> and vise-versa should work.</font></span></font></span></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div></div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div><font face="Arial" size="2"></font><br>
<blockquote style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<div lang="en-us" dir="ltr" align="left">
<hr>
<font face="Tahoma" size="2">
<div><b>From:</b> Khan, Hammad Aslam [mailto:<a href="mailto:raohammad@gmail.com" target="_blank">raohammad@gmail.com</a>] <br></div><b>Sent:</b> March 12, 2008 11:48 AM
<div>
<div></div>
<div><br><b>To:</b> <a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a><br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Packets not passing through Tunnel<br>
</div></div></font><br></div>
<div>
<div></div>
<div>
<div></div>ok thanks but if i dont want my gateway to talk to remote private. Instead I just want to access remote private from my-private; will I be required to make changes even in that case?<br><br>rgds,<br>Hammad<br>
<br>
<div class="gmail_quote">On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <<a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">You cannot use route add or ip route add with openswan, you</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">must specify the traffic which uses the tunnel in left/rightsubnet(s).</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">To clarify where are you pinging/telneting from?</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">A ping from <a href="http://10.5.125.105/" target="_blank">10.5.125.105</a> to <a href="http://10.8.13.113/" target="_blank">10.8.13.113</a> and vise-versa should work.</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">A ping from <a href="http://10.5.125.100/" target="_blank">10.5.125.100</a> or <a href="http://58.58.58.58/" target="_blank">58.58.58.58</a> will not work because you</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">have not included them in leftsubnet.</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Likewise a ping from <a href="http://202.202.202.202/" target="_blank">202.202.202.202</a> or ?.?.?.? to 10.5.. will not work.</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Pings to 58... and 202... will work but not encrypted, plain internet.</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">If you want your gateway to be able to communicate with remote private</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">also, then change your conn as follows:</font></span></div>
<div dir="ltr" align="left"><span> <font face="Arial" color="#0000ff" size="2">leftsourceip=<a href="http://10.5.125.100/" target="_blank">10.5.125.100</a> # gw will use this instead of 58... to talk to rem. priv.</font></span></div>
<div dir="ltr" align="left"><span> <font face="Arial" color="#0000ff" size="2">leftsubnet=<a href="http://10.5.125.96/28" target="_blank">10.5.125.96/28</a> # you'll need to change subnet on cisco too</font></span></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div><font face="Arial" color="#0000ff" size="2"></font> </div><font face="Arial" size="2"></font><br>
<blockquote style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<div lang="en-us" dir="ltr" align="left">
<hr>
<font face="Tahoma" size="2"><b>From:</b> Khan, Hammad Aslam [mailto:<a href="mailto:raohammad@gmail.com" target="_blank">raohammad@gmail.com</a>] <br><b>Sent:</b> March 12, 2008 2:11 AM<br><b>To:</b> <a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a><br>
<b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> Re: [Openswan Users] Packets not passing through Tunnel<br></font><br></div>
<div>
<div></div>
<div>
<div></div>
<div>I already have enabled ip forwarding; </div>
<div>My Setup is like;<br><br><span style="COLOR: rgb(102,0,204)"><span style="COLOR: rgb(255,102,0)">my private my gateway <<pub</span>lic>> remote gw (cisco vpn 3000) remote private</span><br style="COLOR: rgb(102,0,204)">
<span style="COLOR: rgb(102,0,204)"><span style="COLOR: rgb(255,102,0)">-------- -----------------------------------------</span> ------------------------------- ----------------------</span><br style="COLOR: rgb(102,0,204)">
<span style="COLOR: rgb(102,0,204)"><span style="COLOR: rgb(255,102,0)"> | | | </span> | | | |</span><br style="COLOR: rgb(102,0,204)">
<span style="COLOR: rgb(255,102,0)"> <a href="http://10.5.125.105/" target="_blank">10.5.125.105</a> === 10.5.125.100(eth1) (eth0)58.58.58.58 >></span><b style="COLOR: rgb(102,0,204)"><span style="COLOR: rgb(255,102,0)">></span><</b><span style="COLOR: rgb(102,0,204)"><< <a href="http://202.202.202.202/" target="_blank">202.202.202.202</a> ?.?.?.? ==== <a href="http://10.8.13.113/" target="_blank">10.8.13.113</a> |</span><br style="COLOR: rgb(102,0,204)">
<span style="COLOR: rgb(102,0,204)"> <span style="COLOR: rgb(255,102,0)"> | | | </span> | | | | </span><br style="COLOR: rgb(102,0,204)">
<span style="COLOR: rgb(102,0,204)"><span style="COLOR: rgb(255,102,0)">------- ----------------------------------------- </span> ------------------------------ ----------------------</span><br style="COLOR: rgb(102,0,204)">
<br><br><b>My Config file</b><br>config setup<br> interfaces="ipsec0=eth0"<br> plutodebug="all"<br> nat_traversal=yes<br><br>conn nattelenor<br> type=tunnel<br> authby=secret # secret key<br>
auth=esp<br> pfs=no<br> keylife=28800<br> keyingtries=3<br> auto=add<br> ike=3des-md5-modp1024<br> esp=3des-md5<br> left=<a href="http://58.58.58.58/" target="_blank">58.58.58.58</a> # my external, internet-routable ip address, provided by NAT box=<br>
leftsubnet=<a href="http://10.5.125.105/32" target="_blank">10.5.125.105/32</a><br> right=<a href="http://202.202.202.202/" target="_blank">202.202.202.202</a> # my peer's external, internet-routable ip address=<br>
rightsubnet=<a href="http://10.8.13.113/32" target="_blank">10.8.13.113/32</a><br> <br>#Disable Opportunistic Encryption<br>include /etc/ipsec.d/examples/no_oe.conf<br><br><b>My ipsec verify result</b><br>
<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)<br>Checking for IPsec support in kernel [OK]<br>
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!<br><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br>
<br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br><br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br><br><br>Regards,<br>Hammad<br><br><br></div>
<div class="gmail_quote">On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <<a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Without them you can only ping hosts other than the ipsec gateway,</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">on the remote lan, and only from hosts on the local lan not the local</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">ipsec gateway.</font></span></div>
<div dir="ltr" align="left"><span><font face="Arial" color="#0000ff" size="2">Show us your ipsec.conf and ipsec verify.</font></span></div>
<div> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<div lang="en-us" dir="ltr" align="left">
<hr>
<font face="Tahoma" size="2"><b>From:</b> <a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a> [mailto:<a href="mailto:users-bounces@openswan.org" target="_blank">users-bounces@openswan.org</a>] <b>On Behalf Of </b>Khan, Hammad Aslam<br>
<b>Sent:</b> March 11, 2008 1:45 PM<br><b>To:</b> <a href="mailto:users@openswan.org" target="_blank">users@openswan.org</a><br><b>Subject:</b> [Openswan Users] Packets not passing through Tunnel<br></font><br></div>
<div>
<div></div>
<div>
<div></div>Hello everyone,<br>My tunnel has been successfully established (both ISAKMP and IPSEC are UP);<br>but when I try to ping/telnet remote end's private network PC i dont get any response.,<br><br>Using <b>tcpdump -i eth0 </b>(which is my public interface of GW) it shows that GW is querying internet for remote-private-nw using ARP. No ESP packets are seen...<br>
<br>I added a route of <br># route add <remote-private-ip> gw <remote-public-ip><br>...but still, i see the same result?<br><br>Please help.<br><br>Regards,<br>Hammad<br></div></div></blockquote></div></blockquote>
</div><br></div></div></blockquote></div></blockquote></div><br></div></div></blockquote></div></blockquote></div><br></div></div></blockquote></div></blockquote></div><br></div></div></blockquote></div></blockquote></div>
<br>