<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#ffffff">
<tt>Hi!<br>
<br>
I'm struggling to get an IPsec VPN from a local client (with
dynamic IP) to a remote server (provided through a LANCOM router)
working. The client successfully connects to the VPN, but is then
unable to ping the server -- whereas the server *can* ping the
client.<br>
<br>
My local client (Linux PC with OpenSwan)<br>
- Interface ppp0 with public (but dynamic) IP<br>
- Interface eth0 (LAN) with IP 192.168.124.1<br>
- Provides NAT for other LAN participants<br>
<br>
Server I connect to (LANCOM router)<br>
- Static public IP a.b.c.d<br>
- Routes to LAN 192.168.248.1<br>
<br>
Here's what I have in my ipsec.conf:<br>
<br>
conn nwsi<br>
left=%defaultroute # dynamic IP<br>
leftid=@myid<br>
leftsubnet=192.168.124.0/24<br>
right=a.b.c.d<br>
rightid=@serverid<br>
rightsubnet=192.168.248.0/24<br>
# ...encryption-related settings...<br>
<br>
After establishing a connection, OpenSwan adds this route:<br>
<br>
Destination Gateway Genmask Flags Metric
Ref Use Iface<br>
192.168.248.0 * 255.255.255.0 U 0
0 0 ppp0<br>
<br>
I'm not sure having '*' as gateway is right. Should that be
192.168.248.1?<br>
My firewall is set up like this:<br>
</tt>
<blockquote><tt># Don't filter LAN traffic, we trust the LAN</tt><br>
<tt>iptables -A INPUT -i eth0 -j ACCEPT</tt><br>
<tt>iptables -A INPUT -i lo -j ACCEPT</tt><br>
<br>
<tt># Enable incoming pings</tt><br>
<tt>iptables -A INPUT -i ppp0 -s 0/0 -p icmp --icmp-type 8 -j
ACCEPT</tt><br>
<br>
<tt># Deny any packet coming in on the public internet interfaces</tt><br>
<tt># claiming to be from our local network:</tt><br>
<tt>iptables -A INPUT -i ppp0 -s 192.168.124.0/24 -j DROP</tt><br>
<tt>iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP</tt><br>
<br>
<tt># Allow already established connections</tt><br>
<tt>iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED
-j ACCEPT</tt><br>
<br>
<tt># Allow incoming IPsec traffic</tt><br>
<tt>iptables -A INPUT -i ppp0 -p udp --dport 500 -m state --state
NEW -j ACCEPT</tt><br>
<tt>iptables -A INPUT -i ppp0 -p udp --dport 4500 -m state --state
NEW -j ACCEPT</tt><br>
<tt>iptables -A INPUT -i ppp0 -p esp -m state --state NEW -j
ACCEPT</tt><br>
<tt>iptables -A INPUT -i ppp0 -p ah -m state --state NEW -j ACCEPT</tt><br>
<br>
<tt># Reject everything else</tt><br>
<tt>iptables -A INPUT -j REJECT</tt><br>
<br>
<tt># Allow server to be used as a gateway to the internet</tt><br>
<tt>iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT</tt><br>
<br>
<tt># Forward packets for established connections back to the
sender</tt><br>
<tt>iptables -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT</tt><br>
<br>
<tt># Reject everything else</tt><br>
<tt>iptables -A FORWARD -j REJECT</tt><br>
<br>
<tt># Perform NAT for any packets routed to us targeting ppp0</tt><br>
<tt>iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE</tt><tt><br>
#iptables -A POSTROUTING -t nat -o ppp0 ! -d 192.168.248.0/24 -j
MASQUERADE<br>
</tt></blockquote>
I tried running 'tcpdump | grep 248' while pinging (and attempting
to access a HTTP server in the 248 net) but no output is generated.<br>
Can anyone spot the problem or give me any hints how I could debug
this further?<br>
<br>
-Markus-<br>
</body>
</html>