Thanks Bob for replying.<br><br>Yes I thought so it's firewall issue. I already tried to put the firewall down and still no luck.<br><br>I also tried to define the forwarding on iptables. I don't know if this is correct or I'm just missing something.<br>
<br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote"> iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.21 -p TCP --sport 1024:65535 -m multiport --dports 7777 -j ACCEPT<br>
</blockquote><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote"><div> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 7777 --sport 1024:65535 -j DNAT --to <a href="http://192.168.0.21:7777">192.168.0.21:7777</a></div>
</blockquote><br><br>Tthanks,<br>chr1x2<br><br><br><div class="gmail_quote">On Thu, Mar 11, 2010 at 13:30, Bob Miller <span dir="ltr"><<a href="mailto:bob@computerisms.ca">bob@computerisms.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Since your tunnel is up but the ping packets don't seem to be going in<br>
the tunnel, I would guess your firewall needs some tweaking. There are<br>
several examples on the net of how to mark your packets using iptables<br>
for use with openswan.<br>
but it's just a guess...<br>
<div><div></div><div class="h5"><br>
<br>
<br>
On Thu, 2010-03-11 at 11:33 +0800, chr1x2 wrote:<br>
> Hi All,<br>
><br>
> I'm a bit new with Openswan and I'm trying to setup a IPSec/VPN tunnel<br>
> connection and I need help. I already asked Google about it but I<br>
> cannot seem find the solution.<br>
><br>
> Here's the problem. I can connect to the gateway but I cannot ping,<br>
> telnet or make any other connection on the internal lan. Thus making<br>
> the tunnel connection useless.<br>
><br>
> Please see my configuration below.<br>
><br>
> ipsec.conf<br>
><br>
> version 2.0<br>
><br>
> config setup<br>
> plutostderrlog="/var/log/ipsec.log"<br>
> plutoopts="--perpeerlog"<br>
><br>
><br>
> conn L2TP-PSK<br>
> authby=secret<br>
> pfs=no<br>
> rekey=no<br>
> keyingtries=3<br>
> left=%defaultroute<br>
> leftnexthop=192.168.0.1<br>
> leftprotoport=17/1701<br>
> right=%any<br>
> rightprotoport=17/%any<br>
> auto=add<br>
><br>
> include /etc/ipsec.d/examples/no_oe.conf<br>
><br>
><br>
> # setkey -DP<br>
> 172.16.0.156[1701] 192.168.0.41[1701] udp<br>
> in ipsec<br>
> esp/transport//unique#16397<br>
> created: Mar 11 10:49:29 2010 lastused: Mar 11<br>
> 11:12:29 2010<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=992 seq=7 pid=22104<br>
> refcnt=2<br>
> 192.168.0.41[1701] 172.16.0.156[1701] udp<br>
> out ipsec<br>
> esp/transport//unique#16397<br>
> created: Mar 11 10:49:29 2010 lastused: Mar 11<br>
> 11:12:29 2010<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=1001 seq=6 pid=22104<br>
> refcnt=2<br>
> ::/0[any] ::/0[any] any<br>
> in none<br>
> created: Mar 11 10:35:43 2010<br>
> lastused:<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=947 seq=5 pid=22104<br>
> refcnt=1<br>
> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> any<br>
> in none<br>
> created: Mar 11 10:35:43 2010<br>
> lastused:<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=931 seq=4 pid=22104<br>
> refcnt=1<br>
> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> any<br>
> in none<br>
> created: Mar 11 10:35:43 2010 lastused: Mar 11<br>
> 10:49:29 2010<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=915 seq=3 pid=22104<br>
> refcnt=1<br>
> ::/0[any] ::/0[any] any<br>
> out none<br>
> created: Mar 11 10:35:43 2010<br>
> lastused:<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=956 seq=2 pid=22104<br>
> refcnt=1<br>
> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> any<br>
> out none<br>
> created: Mar 11 10:35:43 2010<br>
> lastused:<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=940 seq=1 pid=22104<br>
> refcnt=1<br>
> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> <a href="http://0.0.0.0/0[any]" target="_blank">0.0.0.0/0[any]</a> any<br>
> out none<br>
> created: Mar 11 10:35:43 2010 lastused: Mar 11<br>
> 10:49:29 2010<br>
> lifetime: 0(s) validtime: 0(s)<br>
> spid=924 seq=0 pid=22104<br>
> refcnt=1<br>
><br>
><br>
> # ipsec auto --status<br>
> 000 interface lo/lo ::1<br>
> 000 interface lo/lo 127.0.0.1<br>
> 000 interface eth0/eth0 192.168.164.41<br>
> 000 %myid = (none)<br>
> 000 debug none<br>
> 000<br>
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,<br>
> keysizemin=64, keysizemax=64<br>
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,<br>
> keysizemin=192, keysizemax=192<br>
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,<br>
> keysizemin=40, keysizemax=448<br>
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,<br>
> keysizemin=0, keysizemax=0<br>
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP auth attr: id=1,<br>
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>
> 000 algorithm ESP auth attr: id=2,<br>
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>
> 000 algorithm ESP auth attr: id=5,<br>
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,<br>
> keysizemax=256<br>
> 000 algorithm ESP auth attr: id=251, name=(null),<br>
> keysizemin=0, keysizemax=0<br>
> 000<br>
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,<br>
> blocksize=8, keydeflen=192<br>
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,<br>
> blocksize=16, keydeflen=128<br>
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,<br>
> bits=1024<br>
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,<br>
> bits=1536<br>
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,<br>
> bits=2048<br>
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,<br>
> bits=3072<br>
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,<br>
> bits=4096<br>
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,<br>
> bits=6144<br>
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,<br>
> bits=8192<br>
> 000<br>
> 000 stats db_ops.c: {curr_cnt, total_cnt,<br>
> maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}<br>
> 000<br>
> 000 "L2TP-PSK": <a href="http://192.168.0.41:17/1701---192.168.0.1...%any:17/%" target="_blank">192.168.0.41:17/1701---192.168.0.1...%any:17/%</a><br>
> any; unrouted; eroute owner: #0<br>
> 000 "L2TP-PSK": srcip=unset; dstip=unset; srcup=ipsec<br>
> _updown; dstup=ipsec _updown;<br>
> 000 "L2TP-PSK": ike_life: 3600s; ipsec_life: 28800s;<br>
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3<br>
> 000 "L2TP-PSK": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio:<br>
> 32,32; interface: eth0; encap: esp;<br>
> 000 "L2TP-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>
> 000 "L2TP-PSK"[3]:<br>
> <a href="http://192.168.0.41:17/1701---192.168.0.1...172.16.0.156:17/1701" target="_blank">192.168.0.41:17/1701---192.168.0.1...172.16.0.156:17/1701</a>;<br>
> erouted; eroute owner: #6<br>
> 000 "L2TP-PSK"[3]: srcip=unset; dstip=unset; srcup=ipsec<br>
> _updown; dstup=ipsec _updown;<br>
> 000 "L2TP-PSK"[3]: ike_life: 3600s; ipsec_life: 28800s;<br>
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3<br>
> 000 "L2TP-PSK"[3]: policy: PSK+ENCRYPT+TUNNEL+DONTREKEY;<br>
> prio: 32,32; interface: eth0; encap: esp;<br>
> 000 "L2TP-PSK"[3]: newest ISAKMP SA: #5; newest IPsec SA:<br>
> #6;<br>
> 000 "L2TP-PSK"[3]: IKE algorithm newest:<br>
> 3DES_CBC_192-SHA1-MODP2048<br>
> 000<br>
> 000 #6: "L2TP-PSK"[3] <a href="http://172.16.0.156:500" target="_blank">172.16.0.156:500</a> STATE_QUICK_R2 (IPsec<br>
> SA established); EVENT_SA_EXPIRE in 1967s; newest IPSEC;<br>
> eroute owner<br>
> 000 #6: "L2TP-PSK"[3] 172.16.0.156 <a href="mailto:esp.a6aa4532@172.16.0.156">esp.a6aa4532@172.16.0.156</a><br>
> <a href="mailto:esp.41471b19@192.168.0.41">esp.41471b19@192.168.0.41</a><br>
> 000 #5: "L2TP-PSK"[3] <a href="http://172.16.0.156:500" target="_blank">172.16.0.156:500</a> STATE_MAIN_R3 (sent<br>
> MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 27167s; newest<br>
> ISAKMP; nodpd<br>
> 000<br>
><br>
> route -n<br>
> Kernel IP routing table<br>
> Destination Gateway Genmask Flags Metric<br>
> Ref Use Iface<br>
> 172.16.0.156 192.168.0.1 255.255.255.255 UGH 0 0<br>
> 0 eth0<br>
> 10.0.1.2 0.0.0.0 255.255.255.255 UH 0 0<br>
> 0 ppp0<br>
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0<br>
> 0 eth0<br>
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0<br>
> 0 eth0<br>
> 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0<br>
> 0 eth0<br>
><br>
> # tcpdump -i ppp0<br>
> 11:25:58.314939 IP 192.168.0.240.1082 > 192.168.0.21.8888: S<br>
> 2675286046:2675286046(0) win 64240 <mss 1360,nop,nop,sackOK><br>
> 11:26:01.317168 IP 192.168.0.240.1082 > 192.168.0.21.8888: S<br>
> 2675286046:2675286046(0) win 64240 <mss 1360,nop,nop,sackOK><br>
> 11:26:07.326024 IP 192.168.0.240.1082 > 192.168.0.21.8888: S<br>
> 2675286046:2675286046(0) win 64240 <mss 1360,nop,nop,sackOK><br>
> 11:26:22.864028 IP 192.168.0.240 > <a href="http://192.168.0.21" target="_blank">192.168.0.21</a>: icmp 40: echo<br>
> request seq 2304<br>
> 11:26:28.088071 IP 192.168.0.240 > <a href="http://192.168.0.21" target="_blank">192.168.0.21</a>: icmp 40: echo<br>
> request seq 2560<br>
> 11:26:33.097248 IP 192.168.0.240 > <a href="http://192.168.0.21" target="_blank">192.168.0.21</a>: icmp 40: echo<br>
> request seq 2816<br>
><br>
> l2tpd.conf<br>
> [lns default]<br>
> ip range = 192.168.0.240-192.168.0.250<br>
> local ip = 192.168.0.41<br>
> require chap = yes<br>
> refuse pap = yes<br>
> require authentication = yes<br>
> name = ipsec<br>
> ppp debug = yes<br>
> pppoptfile = /etc/ppp/options.l2tpd<br>
> length bit = yes<br>
><br>
><br>
> Any help would be appreciated.<br>
><br>
><br>
> Thanks,<br>
> chr1x2<br>
</div></div>> _______________________________________________<br>
> <a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
> Building and Integrating Virtual Private Networks with Openswan:<br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<font color="#888888">Bob Miller<br>
334-7117/633-3760<br>
<a href="http://computerisms.ca" target="_blank">http://computerisms.ca</a><br>
<a href="mailto:bob@computerisms.ca">bob@computerisms.ca</a><br>
Network, Internet, Server,<br>
and Open Source Solutions<br>
<br>
</font></blockquote></div><br>