<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>Alright,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>So you changed these...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>ipsec.conf</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>-
rightsubnet=10.8.13.113/32<BR>+
rightsubnet=172.18.114.244/32</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>firewall script</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>- iptables -t nat -I POSTROUTING -o ${WAN} -d
10.8.13.113/32 -j ACCEPT <BR>+ iptables -t nat -I POSTROUTING -o ${WAN} -d
172.18.114.244/32 -j ACCEPT <BR></DIV></FONT></SPAN>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>Did you change the subnet to 172... on the cisco end
too?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>Did you run ipsec restart after changing the
ipsec.conf?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>Did you re-run your firewall script after updating
it?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>Are you getting ISAKMP & IPSec SA
established?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>Try restarting the linux box and the cisco to make sure
using all new settings.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>If none of that helps, try sending us your
new...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>ipsec verify</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>ipsec.conf</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2># your ipsec logs...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>grep 'pluto' /var/log/*</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2># your firewall status</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>iptables -t filter -L -n -v</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>iptables -t nat -L -n -v</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=532544714-14032008><FONT face=Arial
color=#0000ff size=2>iptables -t mangle -L -n -v</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Hammad [mailto:raohammad@gmail.com]
<BR><B>Sent:</B> March 14, 2008 7:03 AM<BR><B>To:</B>
petermcgill@goco.net<BR><B>Cc:</B> users@openswan.org<BR><B>Subject:</B> Re:
[Openswan Users] Packets not passing through Tunnel<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Its working for <A href="http://10.8.13.113/32">10.8.13.113/32</A> now.
And packets are now encapsulated in ESP</DIV>
<DIV> </DIV>
<DIV>Now last problem; when i put <A
href="http://172.18.114.244/32">172.18.114.244/32</A> (actual
required remote private) in this place in both iptables and
ipsec.conf; I know this is pointless - but even tried several things; its not
encapsulating any PING to 172.... instead its using general gateway for
it??</DIV>
<DIV> </DIV>
<DIV>rgds,<BR><BR></DIV>
<DIV class=gmail_quote>On Thu, Mar 13, 2008 at 7:18 PM, Peter McGill <<A
href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Well,
it's not a particularly strong firewall script, but that's another
issue.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>To fix
your ipsec problem, you should change this...</FONT></SPAN></DIV>
<DIV class=Ih2E3d>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2> iptables -A FORWARD -i ${WAN} -d <A
href="http://10.5.0.0/255.255.0.0" target=_blank>10.5.0.0/255.255.0.0</A> -j
ACCEPT</FONT></SPAN></DIV></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>+ iptables -t nat -I POSTROUTING -o ${WAN} -d <A
href="http://10.8.13.113/32" target=_blank>10.8.13.113/32</A> -j ACCEPT
<DIV class=Ih2E3d><BR> iptables -t nat -A POSTROUTING -o ${WAN} -j
MASQUERADE<BR></DIV></FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2>
<DIV class=Ih2E3d><B>From:</B> Khan, Hammad Aslam [mailto:<A
href="mailto:raohammad@gmail.com" target=_blank>raohammad@gmail.com</A>]
<BR></DIV><B>Sent:</B> March 12, 2008 5:44 PM
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c><BR><B>To:</B> <A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re: [Openswan
Users] Packets not passing through Tunnel<BR></DIV></DIV></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>
<DIV></DIV>
<DIV>I tried to make them work again(asper my understanding) but cldnt
make it happen;</DIV>
<DIV>may be you can help to edit this file :-) (that I've made to
configure firewall)... this can be a valuable asset to mailing list
too...</DIV>
<DIV> </DIV>
<DIV>##First we flush our current rules<BR> iptables
-F<BR> iptables -t nat -F</DIV>
<DIV> </DIV>
<DIV>##Setup default policies to handle unmatched
traffic<BR> iptables -P INPUT ACCEPT<BR> iptables -P OUTPUT
ACCEPT<BR> iptables -P FORWARD DROP</DIV>
<DIV> </DIV>
<DIV>##Copy and paste these examples ...<BR> export
LAN=eth1<BR> export WAN=eth0</DIV>
<DIV> </DIV>
<DIV>##Then we lock our services so they only work from the
LAN<BR> iptables -I INPUT 1 -i ${LAN} -j ACCEPT<BR> iptables -I
INPUT 1 -i lo -j ACCEPT<BR> iptables -A INPUT -p UDP --dport bootps
-i ! ${LAN} -j REJECT<BR> iptables -A INPUT -p UDP --dport domain -i
! ${LAN} -j REJECT</DIV>
<DIV> </DIV>
<DIV>##(Optional) Allow access to our ssh server from the
WAN<BR> iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j
ACCEPT</DIV>
<DIV> </DIV>
<DIV>##Drop TCP / UDP packets to privileged ports<BR> iptables -A
INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP<BR> iptables
-A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP</DIV>
<DIV> </DIV>
<DIV>##Finally we add the rules for NAT<BR> iptables -I FORWARD -i
${LAN} -d <A href="http://10.5.0.0/255.255.0.0"
target=_blank>10.5.0.0/255.255.0.0</A> -j DROP<BR> iptables -A
FORWARD -i ${LAN} -s <A href="http://10.5.0.0/255.255.0.0"
target=_blank>10.5.0.0/255.255.0.0</A> -j ACCEPT<BR> iptables -A
FORWARD -i ${WAN} -d <A href="http://10.5.0.0/255.255.0.0"
target=_blank>10.5.0.0/255.255.0.0</A> -j ACCEPT<BR> iptables -t nat
-A POSTROUTING -o ${WAN} -j MASQUERADE</DIV>
<DIV> </DIV>
<DIV># allow IPsec IKE negotiations<BR>iptables -I INPUT -p udp
--sport 500 --dport 500 -j ACCEPT<BR>iptables -I OUTPUT -p udp --sport 500
--dport 500 -j ACCEPT<BR></DIV>
<DIV># ESP encryption and authentication<BR>iptables -I INPUT -p 50
-j ACCEPT<BR>iptables -I OUTPUT -p 50 -j ACCEPT</DIV>
<DIV><BR>##Tell the kernel that ip forwarding is OK<BR> echo 1 >
/proc/sys/net/ipv4/ip_forward<BR> for f in
/proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done</DIV>
<DIV> </DIV>
<DIV>##This is so when we boot we don't have to run the rules by
hand<BR> /etc/init.d/iptables save<BR> rc-update add iptables
default<BR> nano /etc/sysctl.conf</DIV>
<DIV> </DIV>
<DIV>##Add/Uncomment the following lines:<BR> net.ipv4.ip_forward =
1<BR> net.ipv4.conf.default.rp_filter = 1</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Regards,</DIV>
<DIV>Hammad<BR><BR></DIV>
<DIV class=gmail_quote>On Thu, Mar 13, 2008 at 2:07 AM, Peter McGill
<<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Two
problems here:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>First, you cannot MASQ the ipsec packets,
so...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t nat -I POSTROUTING -d <A href="http://10.8.13.113/32"
target=_blank>10.8.13.113/32</A> -j ACCEPT</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>before</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t nat -A POSTROUTING -s <A href="http://10.5.0.0/16"
target=_blank>10.5.0.0/16</A> -j MASQUERADE</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Second, you cannot drop all packets to local and expect remote to
get through...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>So,
change your forward chain...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>remove this rule</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t filter -A FORWARD -d <A
href="http://10.5.0.0/16" target=_blank>10.5.0.0/16</A> -j
DROP</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>(This one might have additional options limiting what it drops,
making it ok,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>but
I cannot tell without the -v (--verbose) flag on
iptables.)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>P.S.
you didn't actually show us your full rules here, next time you might
try this:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t filter -L -n -v</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t nat -L -n -v</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t mangle -L -n -v</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2>
<DIV><B>From:</B> Khan, Hammad Aslam [mailto:<A
href="mailto:raohammad@gmail.com"
target=_blank>raohammad@gmail.com</A>] <BR></DIV><B>Sent:</B> March
12, 2008 4:43 PM
<DIV>
<DIV></DIV>
<DIV><BR><B>To:</B> <A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re: [Openswan
Users] Packets not passing through
Tunnel<BR></DIV></DIV></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>
<DIV>and what do you comment about my firewall settings?</DIV>
<DIV>Attached is more Formatted one... thanking in anticipation</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Table: nat<BR>Chain PREROUTING (policy ACCEPT)<BR>num
target prot opt
source
destination</DIV>
<DIV>Chain POSTROUTING (policy ACCEPT)<BR>num
target prot opt
source
destination<BR>1 MASQUERADE all --
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0" target=_blank>0.0.0.0/0</A></DIV>
<DIV>Chain OUTPUT (policy ACCEPT)<BR>num
target prot opt
source
destination</DIV>
<DIV>Table: filter<BR>Chain INPUT (policy ACCEPT)<BR>num
target prot opt
source
destination<BR>1 ACCEPT
esp -- <A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>2
ACCEPT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp spt:500 dpt:500<BR>3
ACCEPT all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>4
ACCEPT all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>5
REJECT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp dpt:67 reject-with icmp-port-unreachable<BR>6
REJECT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp dpt:53 reject-with icmp-port-unreachable<BR>7
ACCEPT tcp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
tcp dpt:22<BR>8
DROP tcp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
tcp dpts:0:1023<BR>9
DROP udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp dpts:0:1023</DIV>
<DIV>Chain FORWARD (policy DROP)<BR>num
target prot opt
source
destination<BR>1
DROP all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://10.5.0.0/16"
target=_blank>10.5.0.0/16</A><BR>2
ACCEPT all -- <A
href="http://10.5.0.0/16"
target=_blank>10.5.0.0/16</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>3
ACCEPT all -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://10.5.0.0/16" target=_blank>10.5.0.0/16</A></DIV>
<DIV>Chain OUTPUT (policy ACCEPT)<BR>num
target prot opt
source
destination<BR>1 ACCEPT
esp -- <A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A><BR>2
ACCEPT udp -- <A
href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
<A href="http://0.0.0.0/0"
target=_blank>0.0.0.0/0</A>
udp spt:500 dpt:500</DIV>
<DIV><BR><BR> </DIV>
<DIV class=gmail_quote>On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill
<<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>No, that should be working if ISAKMP SA and IPSec SA
established.</FONT></SPAN></DIV>
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>> <SPAN><FONT face=Arial color=#0000ff size=2>A ping from
<A href="http://10.5.125.105/" target=_blank>10.5.125.105</A> to <A
href="http://10.8.13.113/" target=_blank>10.8.13.113</A> and
vise-versa should work.</FONT></SPAN></FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV></DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT
face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2>
<DIV><B>From:</B> Khan, Hammad Aslam [mailto:<A
href="mailto:raohammad@gmail.com"
target=_blank>raohammad@gmail.com</A>] <BR></DIV><B>Sent:</B>
March 12, 2008 11:48 AM
<DIV>
<DIV></DIV>
<DIV><BR><B>To:</B> <A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re:
[Openswan Users] Packets not passing through
Tunnel<BR></DIV></DIV></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>ok thanks but if i dont want my gateway to talk to
remote private. Instead I just want to access remote private from
my-private; will I be required to make changes even in that
case?<BR><BR>rgds,<BR>Hammad<BR><BR>
<DIV class=gmail_quote>On Wed, Mar 12, 2008 at 7:47 PM, Peter
McGill <<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>You cannot use route add or ip route add with openswan,
you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>must specify the traffic which uses the tunnel in
left/rightsubnet(s).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>To clarify where are you pinging/telneting
from?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>A ping from <A href="http://10.5.125.105/"
target=_blank>10.5.125.105</A> to <A href="http://10.8.13.113/"
target=_blank>10.8.13.113</A> and vise-versa should
work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>A ping from <A href="http://10.5.125.100/"
target=_blank>10.5.125.100</A> or <A href="http://58.58.58.58/"
target=_blank>58.58.58.58</A> will not work because
you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>have not included them in leftsubnet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Likewise a ping from <A href="http://202.202.202.202/"
target=_blank>202.202.202.202</A> or ?.?.?.? to 10.5.. will
not work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Pings to 58... and 202... will work but not encrypted,
plain internet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>If you want your gateway to be able to communicate with
remote private</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>also, then change your conn as
follows:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN> <FONT
face=Arial color=#0000ff size=2>leftsourceip=<A
href="http://10.5.125.100/" target=_blank>10.5.125.100</A> # gw
will use this instead of 58... to talk to rem.
priv.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN> <FONT
face=Arial color=#0000ff size=2>leftsubnet=<A
href="http://10.5.125.96/28" target=_blank>10.5.125.96/28</A> #
you'll need to change subnet on cisco
too</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter
McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff
size=2></FONT> </DIV><FONT face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> Khan, Hammad Aslam
[mailto:<A href="mailto:raohammad@gmail.com"
target=_blank>raohammad@gmail.com</A>] <BR><B>Sent:</B> March
12, 2008 2:11 AM<BR><B>To:</B> <A
href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re:
[Openswan Users] Packets not passing through
Tunnel<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>
<DIV>I already have enabled ip forwarding; </DIV>
<DIV>My Setup is like;<BR><BR><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">my
private
my gateway
<<pub</SPAN>lic>>
remote gw (cisco vpn
3000)
remote private</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">--------
-----------------------------------------</SPAN>
-------------------------------
----------------------</SPAN><BR
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
|</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)"> <A
href="http://10.5.125.105/"
target=_blank>10.5.125.105</A> === 10.5.125.100(eth1)
(eth0)58.58.58.58 >></SPAN><B
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">></SPAN><</B><SPAN
style="COLOR: rgb(102,0,204)"><< <A
href="http://202.202.202.202/"
target=_blank>202.202.202.202</A>
?.?.?.? ==== <A href="http://10.8.13.113/"
target=_blank>10.8.13.113</A> |</SPAN><BR
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"> <SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
| </SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">-------
----------------------------------------- </SPAN>
------------------------------
----------------------</SPAN><BR
style="COLOR: rgb(102,0,204)"><BR><BR><B>My Config
file</B><BR>config
setup<BR>
interfaces="ipsec0=eth0"<BR>
plutodebug="all"<BR>
nat_traversal=yes<BR><BR>conn
nattelenor<BR>
type=tunnel<BR>
authby=secret
# secret
key<BR>
auth=esp<BR>
pfs=no<BR>
keylife=28800<BR>
keyingtries=3<BR>
auto=add<BR>
ike=3des-md5-modp1024<BR>
esp=3des-md5<BR>
left=<A href="http://58.58.58.58/"
target=_blank>58.58.58.58</A>
# my external, internet-routable ip address, provided by NAT
box=<BR>
leftsubnet=<A href="http://10.5.125.105/32"
target=_blank>10.5.125.105/32</A><BR>
right=<A href="http://202.202.202.202/"
target=_blank>202.202.202.202</A>
# my peer's external, internet-routable ip
address=<BR>
rightsubnet=<A href="http://10.8.13.113/32"
target=_blank>10.8.13.113/32</A><BR>
<BR>#Disable Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR><BR><B>My ipsec verify
result</B><BR><BR>Checking your system to see if IPsec got
installed and started correctly:<BR>Version check and ipsec
on-path
[OK]<BR>Linux Openswan U2.4.9/K2.6.18-1.2798.fc6
(netkey)<BR>Checking for IPsec support in
kernel
[OK]<BR>NETKEY detected, testing for disabled ICMP
send_redirects
[FAILED]<BR><BR> Please disable
/proc/sys/net/ipv4/conf/*/send_redirects<BR> or NETKEY
will cause the sending of bogus ICMP redirects!<BR><BR>NETKEY
detected, testing for disabled ICMP
accept_redirects
[FAILED]<BR><BR> Please disable
/proc/sys/net/ipv4/conf/*/accept_redirects<BR> or NETKEY
will accept bogus ICMP redirects!<BR><BR>Checking for RSA
private key
(/etc/ipsec.secrets)
[OK]<BR>Checking that pluto is
running
[OK]<BR>Two or more interfaces found, checking IP
forwarding
[OK]<BR>Checking NAT and
MASQUERADEing
[OK]<BR>Checking for 'ip'
command
[OK]<BR>Checking for 'iptables'
command
[OK]<BR>Opportunistic Encryption
Support
[DISABLED]<BR><BR><BR>Regards,<BR>Hammad<BR><BR><BR></DIV>
<DIV class=gmail_quote>On Tue, Mar 11, 2008 at 10:56 PM, Peter
McGill <<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Did you add leftsourceip=leftlanip and
rightsourceip=rightlanip?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Without them you can only ping hosts other than the
ipsec gateway,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>on the remote lan, and only from hosts on the local
lan not the local</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>ipsec gateway.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Show us your ipsec.conf and ipsec
verify.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter
McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A> [mailto:<A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A>] <B>On Behalf
Of </B>Khan, Hammad Aslam<BR><B>Sent:</B> March 11, 2008
1:45 PM<BR><B>To:</B> <A href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B>
[Openswan Users] Packets not passing through
Tunnel<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>Hello everyone,<BR>My tunnel has been
successfully established (both ISAKMP and IPSEC are
UP);<BR>but when I try to ping/telnet remote end's private
network PC i dont get any response.,<BR><BR>Using
<B>tcpdump -i eth0 </B>(which is my public interface of
GW) it shows that GW is querying internet for
remote-private-nw using ARP. No ESP packets are
seen...<BR><BR>I added a route of <BR># route add
<remote-private-ip> gw
<remote-public-ip><BR>...but still, i see the same
result?<BR><BR>Please
help.<BR><BR>Regards,<BR>Hammad<BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>