<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Webdings;
panose-1:5 3 1 2 1 5 9 6 7 3;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-IE link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi Guys,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have a situation with a debian 6 box, with multiple nic’s & u2.6.28/k2.6.32-5-686.<o:p></o:p></p><p class=MsoNormal>This box acts as our external gateway and VPN router.<o:p></o:p></p><p class=MsoNormal>There are approx. 6 L2L connections config’ed in ipsec.conf and communication between remote (for example LAN_B, LAN_C & LAN_D) and directly attached networks (for example LAN_A) is just fine.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Where I am experiencing difficulty is in communicating from one remote network to another (for example LAN_B to LAN_C).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have rules defined in iptables to allow the traffic using the FORWARD chain, and within reason I have routes defined – note I am using netkey for proto stack.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Am I missing an obvious config here – I’m baffled.<o:p></o:p></p><p class=MsoNormal>The gateway can ping each remote network individually.<o:p></o:p></p><p class=MsoNormal>I have enabled the TRACE chain in the iptables, but its not really giving me any clarity.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Should I have the remote networks (LAN_B & LAN_C) defined in PREROUTING, INPUT & OUTPUT ?<o:p></o:p></p><p class=MsoNormal>I would have thought the tunnels terminate within the ipsec process and therefore should be filtered with the FORWARD chain.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>version 2.0 # conforms to second version of ipsec.conf specification<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal># basic configuration<o:p></o:p></p><p class=MsoNormal>config setup<o:p></o:p></p><p class=MsoNormal> # Do not set debug options to debug configuration issues!<o:p></o:p></p><p class=MsoNormal> # plutodebug / klipsdebug = "all", "none" or a combation from below:<o:p></o:p></p><p class=MsoNormal> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"<o:p></o:p></p><p class=MsoNormal> # eg:<o:p></o:p></p><p class=MsoNormal> # plutodebug="control parsing"<o:p></o:p></p><p class=MsoNormal> #<o:p></o:p></p><p class=MsoNormal> # enable to get logs per-peer<o:p></o:p></p><p class=MsoNormal> # plutoopts="--perpeerlog"<o:p></o:p></p><p class=MsoNormal> #<o:p></o:p></p><p class=MsoNormal> # Again: only enable plutodebug or klipsdebug when asked by a developer<o:p></o:p></p><p class=MsoNormal> #<o:p></o:p></p><p class=MsoNormal> # NAT-TRAVERSAL support, see README.NAT-Traversal<o:p></o:p></p><p class=MsoNormal> nat_traversal=yes<o:p></o:p></p><p class=MsoNormal> # exclude networks used on server side by adding %v4:!a.b.c.0/24<o:p></o:p></p><p class=MsoNormal> virtual_private=%v4:192.168.12.0/24,%v4:10.0.0.0/8,…etc…<o:p></o:p></p><p class=MsoNormal> # OE is now off by default. Uncomment and change to on, to enable.<o:p></o:p></p><p class=MsoNormal> oe=off<o:p></o:p></p><p class=MsoNormal> # which IPsec stack to use. auto will try netkey, then klips then mast<o:p></o:p></p><p class=MsoNormal> #protostack=auto<o:p></o:p></p><p class=MsoNormal> protostack=netkey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>conn LAN_C<o:p></o:p></p><p class=MsoNormal># plutodebug=none<o:p></o:p></p><p class=MsoNormal> type=tunnel<o:p></o:p></p><p class=MsoNormal> authby=secret<o:p></o:p></p><p class=MsoNormal> left=232.141.33.55<o:p></o:p></p><p class=MsoNormal> leftnexthop=%defaultroute<o:p></o:p></p><p class=MsoNormal> leftsubnet=192.168.12.0/24<o:p></o:p></p><p class=MsoNormal> right=121.232.55.66<o:p></o:p></p><p class=MsoNormal> rightnexthop=%defaultroute<o:p></o:p></p><p class=MsoNormal> rightsubnet=22.33.44.0/24<o:p></o:p></p><p class=MsoNormal> ike=aes128-sha1-modp1024 # first statge authentication<o:p></o:p></p><p class=MsoNormal> esp=aes128-sha1;modp1024 # second stage<o:p></o:p></p><p class=MsoNormal> ikelifetime=86400s # Life time for the fist stage authentication<o:p></o:p></p><p class=MsoNormal> keylife=3600s # Life time for the second stage authentication<o:p></o:p></p><p class=MsoNormal> pfs=yes<o:p></o:p></p><p class=MsoNormal> auto=start<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>conn LAN_B<o:p></o:p></p><p class=MsoNormal># plutodebug=none<o:p></o:p></p><p class=MsoNormal> type=tunnel<o:p></o:p></p><p class=MsoNormal> authby=secret<o:p></o:p></p><p class=MsoNormal> left=232.141.33.55<o:p></o:p></p><p class=MsoNormal> leftid=232.141.33.55<o:p></o:p></p><p class=MsoNormal> leftnexthop=%defaultroute<o:p></o:p></p><p class=MsoNormal> leftsubnets={%v4:192.168.12.0/24,%v4:10.0.0.0/8,…etc…}<o:p></o:p></p><p class=MsoNormal> right=85.96.107.128<o:p></o:p></p><p class=MsoNormal> rightid=85.96.107.128<o:p></o:p></p><p class=MsoNormal> rightnexthop=%defaultroute<o:p></o:p></p><p class=MsoNormal> rightsubnet=10.11.22.0/24<o:p></o:p></p><p class=MsoNormal> ike=aes256-sha1-modp1024 # first statge authentication<o:p></o:p></p><p class=MsoNormal> ikelifetime=86400s # Life time for the fist stage authentication<o:p></o:p></p><p class=MsoNormal> phase2=esp<o:p></o:p></p><p class=MsoNormal> phase2alg=aes256-sha1;modp1024 # second stage<o:p></o:p></p><p class=MsoNormal> keylife=3600s # Life time for the second stage authentication<o:p></o:p></p><p class=MsoNormal> rekey=yes<o:p></o:p></p><p class=MsoNormal> rekeymargin=9m<o:p></o:p></p><p class=MsoNormal> forceencaps=yes<o:p></o:p></p><p class=MsoNormal> pfs=yes<o:p></o:p></p><p class=MsoNormal> auto=start<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='background:white;vertical-align:middle'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#009900;mso-fareast-language:EN-IE'>Damian McHugh</span></b><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#009900;mso-fareast-language:EN-IE'> </span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><b><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:#009900;mso-fareast-language:EN-IE'>Beechill Bulbs Ltd</span></b><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'> </span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><b><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Direct: +353 (0)57 93 22956</span></b><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><b><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Fax: +353 (0)57 93 22957</span></b><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><b><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Mob: +353 (0)87 24 13402</span></b><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><u><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:blue;mso-fareast-language:EN-IE'><a href="mailto:damian@bulbs.ie" target="_blank"><span style='color:blue'>damian@bulbs.ie</span></a></span></u><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'><a href="http://www.bulbs.ie/" target="_blank"><span style='color:blue'>www.bulbs.ie</span></a></span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'> </span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Beechill,</span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Ballyduff,</span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Tullamore,</span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Co. Offaly,</span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:9.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'>Ireland</span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'> </span></b><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal style='background:white;vertical-align:middle'><span lang=EN-US style='font-size:14.0pt;font-family:Webdings;color:green;mso-fareast-language:EN-IE'>P</span><span lang=EN-US style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:green;mso-fareast-language:EN-IE'> Please consider the environment before printing this email</span><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#222222;mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;font-family:"Arial","sans-serif";color:navy;mso-fareast-language:EN-IE'><br>This email and any files transmitted with it are confidential and are intended solely for use by the addressee. Any unauthorised dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error please notify the sender and delete the message. Any views or opinions presented in this email are solely those of the author and cannot be relied upon as being those of Beechill Bulbs Ltd. E-mail communications such as this cannot be guaranteed to be virus free, timely, secure or error free and we do not accept liability for any such matters or their consequences. </span><span lang=EN-US style='font-size:7.5pt;font-family:"Verdana","sans-serif";color:navy;mso-fareast-language:EN-IE'>Beechill Bulbs is a company registered in Ireland, registered No. 455117 with a registered and trading address at: Beechill, Ballyduff, Tullamore, Co. Offaly, Ireland.</span><span style='mso-fareast-language:EN-IE'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>