<div dir="ltr">because the other site of the vpn doesnt accept private address in the domain encript ( because they have a lot of clients, and the subnets can be the same ) . the snat do the translate look the tcpdump (the back is to 54.x) if i cancel the postrouting the telnet doesnt work.<br><br><br>root@vpn:~# tcpdump -n | grep "21516"<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>14:08:56.840720 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [S], seq 3658416554, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0<br>14:08:56.913926 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [S.], seq 151239451, ack 3658416555, win 14600, options [mss 1320,nop,nop,sackOK,nop,wscale 7], length 0<br>14:08:56.913961 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [S.], seq 151239451, ack 3658416555, win 14600, options [mss 1320,nop,nop,sackOK,nop,wscale 7], length 0<br>14:08:56.914734 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [.], ack 1, win 457, length 0<br>14:08:59.146805 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [P.], seq 1:7, ack 1, win 457, length 6<br>14:08:59.219639 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [.], ack 7, win 115, length 0<br>14:08:59.219682 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [.], ack 7, win 115, length 0<br>14:08:59.219666 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [F.], seq 1, ack 7, win 115, length 0<br>14:08:59.219691 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [F.], seq 1, ack 7, win 115, length 0<br>14:08:59.220439 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [F.], seq 7, ack 2, win 457, length 0<br>14:08:59.293339 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [.], ack 8, win 115, length 0<br>14:08:59.293380 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [.], ack 8, win 115, length 0<br><br><br><div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-17 10:42 GMT-03:00 Nick Howitt <span dir="ltr"><<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Curious. Is there a reason why you don't just go from and to private subnets rather than natting to public IPs? Correct me if I'm wrong but I did not think SNAT would give you a 1:1 map or reproducible map from private to public IP.<br>
<br>
Nick<br>
<br>
On 2014-11-17 13:25, Alejandro Perretta wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
thanks the problem was the postrouting i must do src nat the source<br>
with<br>
<br>
-A POSTROUTING -d 148.171xxx.xx/32 -j SNAT --to-source 54.86.xxx.xxx<br>
so the 10.x will we traslated to 54.86<br>
<br>
2014-11-17 10:22 GMT-03:00 Nick Howitt <<a href="mailto:nick@howitts.co.uk">nick@howitts.co.uk</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Alejandro,<br>
<br>
Routing is set up through the use of left/rightsubnet(s) and not<br>
iptables or "ip route"<br>
<br>
You will need to have the subnet on which 10.0.0.1.37 is located as<br>
one of your left/rightsubnets. Don't subnets have to be between {<br>
and }, not ""?<br>
<br>
Nick<br>
<br>
On 2014-11-17 12:57, Alejandro Perretta wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi i have this ipsec.conf<br>
<br>
conn test1<br>
left=10.0.1.196<br>
# esp=aes256-sha1!<br>
phase2alg=aes128<br>
leftid=54.86.xxx.xx<br>
leftsourceip=54.86.34.213<br>
leftsubnets="54.86.34.xxx/32 54.86.xx.54/32"<br>
right=12.10.219.57<br>
rightsubnets="148.171.xxx.0/22 148.171.xxx.0/22"<br>
authby=secret<br>
ike=aes-128<br>
ikelifetime=86400s<br>
pfs=yes<br>
auto=start<br>
<br>
the telnet from the vpn server to test one host on 148.171.221.92<br>
and<br>
works fine. but if i send a telnet from 10.0.0.1.37 ( one host on<br>
my<br>
private network) cant connect the service.<br>
<br>
My iptables<br>
<br>
filter<br>
:INPUT ACCEPT [362601:2929633039]<br>
:FORWARD ACCEPT [0:0]<br>
:OUTPUT ACCEPT [311889:27000502]<br>
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
-A FORWARD -s <a href="http://10.6.0.0/24">10.6.0.0/24</a> [1] [1] -j ACCEPT<br>
-A FORWARD -s <a href="http://10.128.88.0/24">10.128.88.0/24</a> [2] [2] -j ACCEPT<br>
-A FORWARD -s 148.xxx.xxx.xxx -j ACCEPT<br>
-A FORWARD -s 54.86.xxx.xxx -j ACCEPT<br>
-A FORWARD -s <a href="http://10.0.1.0/24">10.0.1.0/24</a> [3] [3] -j ACCEPT<br>
-A FORWARD -j REJECT --reject-with icmp-port-unreachable<br>
COMMIT<br>
# Completed on Fri Nov 14 21:43:05 2014<br>
# Generated by iptables-save v1.4.21 on Fri Nov 14 21:43:05 2014<br>
*nat<br>
:PREROUTING ACCEPT [4:642]<br>
:INPUT ACCEPT [0:0]<br>
:OUTPUT ACCEPT [11:765]<br>
:POSTROUTING ACCEPT [11:765]<br>
#-A PREROUTING -d 54.86.xxx.xxx/32 -j DNAT --to-destination<br>
10.0.1.217<br>
#-A POSTROUTING -s 10.0.1.217 -j MASQUERADE<br>
<br>
COMMIT<br>
# Completed on Fri Nov 14 21:43:05 2014<br>
<br>
--<br>
<br>
Alejandro Perretta<br>
Geopagos<br>
<br>
Links:<br>
------<br>
[1] <a href="http://10.6.0.0/24">http://10.6.0.0/24</a> [1]<br>
[2] <a href="http://10.128.88.0/24">http://10.128.88.0/24</a> [2]<br>
[3] <a href="http://10.0.1.0/24">http://10.0.1.0/24</a> [3]<br>
<br>
______________________________<u></u>_________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/">https://lists.openswan.org/</a> [4]mailman/listinfo/users<br>
Micropayments: <a href="https://flattr.com/thing/">https://flattr.com/thing/</a><br>
[5]38387/IPsec-for-Linux-made-<u></u>easy<br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/">http://www.amazon.com/gp/</a><br>
[6]product/1904811256/104-<u></u>3099591-2946327?n=283155<br>
</blockquote></blockquote>
<br>
--<br>
<br>
Alejandro Perretta<br>
Geopagos<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://10.6.0.0/24">http://10.6.0.0/24</a><br>
[2] <a href="http://10.128.88.0/24">http://10.128.88.0/24</a><br>
[3] <a href="http://10.0.1.0/24">http://10.0.1.0/24</a><br>
[4] <a href="https://lists.openswan.org/">https://lists.openswan.org/</a><br>
[5] <a href="https://flattr.com/thing/">https://flattr.com/thing/</a><br>
[6] <a href="http://www.amazon.com/gp/">http://www.amazon.com/gp/</a><br>
</blockquote>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Alejandro Perretta<br></div>Geopagos<br></div></div>
</div></div></div>