<html><head><base href="x-msg://363/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Thanx a lot for your help.<div><br></div><div>I think i managed to solve this by allowing all traffic from trusted zzz.3 to xxx.1 with a:</div><div><br></div><div>iptables -I INPUT -s zzz.zzz.zzz.3 -j ACCEPT</div><div><br></div><div>I hope this doesn't generate a huge security gap as it's only traffic from a trusted source, what do you think?</div><div><br></div><div>BIG THANK YOU TO ALL FOR YOUR KIND HELP!!!</div><div><br></div><div>RM</div><div><div><div>El 02/12/2010, a las 17:43, simon charles escribió:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; ">RM ,<br> Is that your complete iptables ruleset on that xxx.1 box ? Could you post your complete iptables ruleset. I see that you have rules defined for your OUTPUT filter - what is your default policy on that chain ? You might want to look into incorporating the following if your default policy on the INPUT chain is DROP/REJECT<br>"iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT". If your default policy on the OUTPUT chain is anything other than ACCEPT then you would have to add those traffic to the exclusion list on that OUTPUT chain.<br><br><span style="font-family: Tahoma, Helvetica, sans-serif; font-style: italic; font-weight: bold; ">-<span style="font-family: 'Times New Roman', Times, serif; "><span class="Apple-converted-space"> </span>Simon Charles -<span class="Apple-converted-space"> </span></span></span><br><br><br><br><br><hr id="stopSpelling">From:<span class="Apple-converted-space"> </span><a href="mailto:rodrigomf@bl.com.mx">rodrigomf@bl.com.mx</a><br>Date: Thu, 2 Dec 2010 14:25:55 -0600<br>To:<span class="Apple-converted-space"> </span><a href="mailto:paul@xelerance.com">paul@xelerance.com</a>;<span class="Apple-converted-space"> </span><a href="mailto:wgillespie+openswan@es2eng.com">wgillespie+openswan@es2eng.com</a><br>CC:<span class="Apple-converted-space"> </span><a href="mailto:users@openswan.org">users@openswan.org</a><br>Subject: Re: [Openswan Users] UPDATE: Tunnel up, can ping, cannot connect!! :S<br><br>Update to this question. (I think with this update this question should become a simple one for experts)<div><br></div><div>I disabled iptables on my server xxx.xxx.xxx.1 and the connection is ESTABLISHED. This means iptables is stopping the SYN|ACK packages from zzz.zzz.zzz.3 somehow.</div><div><br></div><div>This are the iptables rules I'm applying:</div><div><br></div><div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">iptables -I OUTPUT -p udp --dport 500 -j ACCEPT</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">iptables -I INPUT -p udp --dport 500 -j ACCEPT</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">iptables -I INPUT -p udp --dport 4500 -j ACCEPT</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">iptables -I OUTPUT -p udp --dport 4500 -j ACCEPT</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">iptables -I INPUT -p 50 -j ACCEPT</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">iptables -I OUTPUT -p 50 -j ACCEPT</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">I think this is the last step to have mi first fully functional OpenSWAN VPN. Please help! :D</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">Thank you!</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">RM</div><div style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div><div><div><div>El 02/12/2010, a las 12:36, Ing. Rodrigo Méndez escribió:</div><br class="ecxApple-interchange-newline"><blockquote><div style="word-wrap: break-word; ">Hi again<div><br></div><div>You helped me last week in setting up a VPN that went apparently successful, but there's a problem.</div><div><br></div><div>I remind you my configuration: xxx.xxx.xxx.1 (my public centos box) <-----> yyy.yyy.yyy.2 (Juniper vpn concentrator) <---> zzz.zzz.zzz.3 (box in private lan)</div><div><br></div><div>I can ping the machine in the remote LAN perfectly (xxx.1 to zzz.3) but cannot connect to any port through telnet. The interesting part of this is that I see the ESP traffic coming out of xxx.1, the admin of the Juniper Concentrator (yyy.2) can see my traffic coming through and also the guy in the zzz.3 box (private lan).</div><div><br></div><div>But this guy (zzz.3) sees the connection dropping each time. See example:</div><div><br></div><div><font face="sans-serif" size="2">[admwsph@WebSphere2pt ~]$ while true; do netstat -na | grep 9082; sleep 3; done</font> <br><font face="sans-serif" size="2">tcp 0 0 zzz.zzz.zzz.3:9082 xxx.xxx.xxx.1:46650 <b>SYN_RECV </b> </font> <br><font face="sans-serif" size="2">tcp 0 0 :::9082 :::* LISTEN </font></div><div><font face="sans-serif" size="2"><br></font></div><div><font face="sans-serif" size="2">This command is run in zzz.3</font></div><div><br></div><div>Do you have any idea of what can be going on here?</div><div><br></div><div>Thank you very much for your help.</div><div>Saludos!</div><div>RM</div><div><br><div><div>El 23/11/2010, a las 14:51, Paul Wouters escribió:</div><br class="ecxApple-interchange-newline"><blockquote><div>On Tue, 23 Nov 2010, "Ing. Rodrigo Méndez" wrote:<br><br><blockquote>This is the result from ipsec verify:<br></blockquote><br>Looks good.<br><br><blockquote>The people from the Juniper VPN concentrator say they don't see any traffic coming from our IPs, so it would seem there's no traffic coming out from Box 1<br></blockquote><blockquote>(CentOS box). The strange thing is it doesn't work even if iptables is disabled (so no blocking is apparently occurring, or at least it isn't the main<br></blockquote><blockquote>problem).<br></blockquote><blockquote>My best guess now is that I'm having a routing problem. <br></blockquote><br>I don't think so...<br><br><blockquote>Any ideas on how to tell Linux to route the packages going to zzz.zzz.zzz.3 through the tunnel?? (I'm using netkey, not KLIPS)<br></blockquote><br>manual routing should not be used. netlink will snatch the packets.<br><br><blockquote>I can't find any route to yyy.yyy.yyy.2 or zzz.zzz.zzz.3 (the box in the private lan) anywhere in the routing table. I'm not sure if this is OK.<br></blockquote><br>that's fine.<br><br>It seems you have one interface online. Are you behind a port forward? Is your upstream<br>router filtering packets?<br><br>Try adding forceencaps=yes ?<br><br><br>Paul<br><br></div></blockquote></div><br><div><div style="word-wrap: break-word; "><div><br></div></div></div></div></div></blockquote></div><br></div></div></div><br>_______________________________________________<span class="Apple-converted-space"> </span><a href="mailto:Users@openswan.org">Users@openswan.org</a><span class="Apple-converted-space"> </span><a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><span class="Apple-converted-space"> </span>Micropayments:<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><span class="Apple-converted-space"> </span>Building and Integrating Virtual Private Networks with Openswan:<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></div></span></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div></div></span></span></div></div></body></html>