<div dir="ltr">hi nick,<br> As you mentioned I add leftsourceip = localprivateip, and captured data on ONT1's wan interface:<br><br>08:49:40.752859 IP 135.251.199.83 > <a href="http://135.251.205.188">135.251.205.188</a>: ESP(spi=0x9562ea8a,seq=0x18), length 100<br>08:49:40.754909 IP 135.251.205.188 > <a href="http://135.251.199.83">135.251.199.83</a>: ESP(spi=0x14d1c2dd,seq=0x18), length 100<br>08:49:40.755230 IP 192.168.5.100 > <a href="http://192.168.1.101">192.168.1.101</a>: ICMP echo reply, id 1, seq 408, length 40<br> <br> I issue a ping from 192.168.1.101 to 192.168.5.100 and have saw a ICMP echo replay. <br> It's closer to achievement. The last step is forward this echo reply to my PC1. <br> Should iptables rule can do this? or ONT1 lack of function?<br> I am very looking forward to your response! thank you very much again!<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 23 June 2016 at 15:07, Nick Howitt <span dir="ltr"><<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Replying to the list as well - please can you.<span class=""><br>
<br>
That is by and large an l2tp set-up. If you don't want an l2tp set-up, remove the protoport. I'd also remove left/rightid. Is right <a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> or dynamic? If it is <a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> don't use %any, use the IP. If it is dynamic, make sure you have %any in ipsec secrets.<br>
<br>
To allow server-server comms you need to specify left/rightsourceip in the local conn (so leftsourceip on the left machine) specifying the remote's source IP is OK to give you a portable conn but otherwise achieves nothing.<br>
<br>
On 23/06/2016 07:20, xue tao wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
hi,<br>
This is my environment, when site2site tunnel up we found ppp0 on each end. ONT2 is vpn server.<br>
pc1(eth0:192.168.1.100) <------------> (eth1:192.168.1.1)<br>
ONT1 (eth0:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>)<br>
(ppp0:192.168.3.128)<br>
<=======VPN TUNNEL========><br>
(ppp0:192.168.3.1)<br>
ONT2 (eth0:135.251.205.188)<br>
(eth1:192.168.5.1) <----------->(eht0:192.168.5.100)pc2<br>
<br>
Here is ONT1 ipsec.conf:<br>
[root@AONT: admin]# cat /etc/ipsec.conf<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
config setup<br>
nat_traversal=yes<br>
oe=off<br>
protostack=netkey<br>
plutostderrlog=/tmp/vpnerr.log<br>
plutoopts="--interface=eth0"<br>
conn L2TP-PSK<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=Restart<br>
rekey=yes<br>
ikelifetime=8h<br>
keylife=1h<br>
type=tunnel<br>
left=<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
leftnexthop=%defaultroute<br>
leftprotoport=17/1701<br></div></div><span class="">
leftsubnet=<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>><br>
right=135.251.205.188<br>
rightprotoport=17/1701<br>
rightsubnet=<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><br>
<br></span><span class="">
And this is ONT2's:<br>
conn L2TP-PSK-NAT<br>
rightsubnet=vhost:%priv<br>
also=L2TP-PSK-noNAT<br>
<br>
conn L2TP-PSK<br>
authby=secret<br>
pfs=no<br>
keyingtries=3<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
rekey=yes<br>
ikelifetime=8h<br>
keylife=8h<br>
type=tunnel<br>
# Replace %any below with your local IP address (private, behind NAT IP is okay as well)<br>
left=135.251.205.188<br></span>
leftsubnet=<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><span class=""><br>
#leftnexthop=%defaultroute<br>
leftid=135.251.205.188<br>
leftprotoport=17/1701<br>
# Replace IP address with your VPN server's IP<br>
right=%any<br></span>
rightsubnet=<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>><span class=""><br>
rightid=<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
rightprotoport=17/1701<br>
auto=add<br>
<br>
When the tunnel setup, I check route on ONT1:<br>
[root@AONT: vtadmin]# route -n<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use Iface<br>
0.0.0.0 135.251.196.1 0.0.0.0 UG 0 0 0 eth0<br>
135.251.196.0 0.0.0.0 255.255.252.0 U 0 0 0 eht0<br>
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eht1<br>
192.168.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0<br>
<br></span>
There is no route to <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>>, maybe it is the reason I can't ping from pc1 to pc2?<span class=""><br>
<br>
Another situation is when setup end2end tunnel I capture esp ping packet from ONT1 to ONT2; and when setup site2site tunnel I only capture plain text ping packet from ONT1 to ONT2, is this correct?<br>
<br>
<br>
<br></span><span class="">
On 22 June 2016 at 23:36, Nick Howitt <<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a> <mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>> wrote:<br>
<br>
Can you the post your updated ipsec.conf?<br>
<br>
On 2016-06-22 16:19, xuetao325 wrote:<br>
<br>
It's none sense of l2tp configuration. I was also connected<br>
subnet/subnet with netkey/psk. I just wonder which iptables<br>
rules will<br>
needed except ones auto-configed by openswan. In my opinion<br>
last month<br>
it shoud works fine after modifed ipsec.conf :)<br>
<br>
Sent from my Mi phone<br>
On Jun 22, 2016 7:50 PM, Nick Howitt <<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br></span><span class="">
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>> wrote:<br>
<br>
Sorry, but I was only trying to sort out the basic<br>
firewalling which<br>
was<br>
needed. I know nothing about L2TP configurations, only<br>
subnet/subnet<br>
with netkey/psk, so I can't take you an further.<br>
<br>
Nick<br>
<br>
On 2016-06-22 12:25, xue tao wrote:<br>
<br>
hi nick,<br>
I load xt_policy success and try some iptables and<br>
route below,<br>
<br>
it<br>
<br>
does not works yet.<br>
<br>
step 1:<br>
When vpn tunnel setup, I changed iptables about "-o "<br>
from eth4<br>
<br>
to<br>
<br>
ppp0 on ONT1:<br>
iptables -t nat -A POSTROUTING -o eth4 -s<br></span>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1]<span class=""><br>
<br>
[3] -j<br>
<br>
MASQUERADE<br>
---> iptables -t nat -A POSTROUTING -o ppp0 -s<br></span>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>><span class=""><br>
<br>
[1] [3]<br>
<br>
-j MASQUERADE<br>
<br>
This step was reserve from end-to-end transport mode. In<br>
<br>
end-to-end I<br>
<br>
can ping from PC1 to ONT2(vpn server) as this iptables<br>
rule<br>
<br>
changes.<br>
<br>
<br>
step 2:<br>
So I add farside subnet via ppp0 route :<br></span>
route add -net <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><br>
[2] [2] ppp0<br>
<br><span class="">
Then PC1 can ping PC2 but the packets was plain text,<br>
not ESP<br>
packets.this time I load xt_policy and added iptables :<br>
iptables -t nat -I POSTROUTING -m policy --dir out<br>
--pol ipsec<br>
<br>
-j<br>
<br>
ACCEPT<br>
<br>
The ping packets I dump from ONT2 still plain. then I<br>
think the<br>
route maybe wrong,so:<br></span>
route del -net <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><span class=""><br>
[2] [2]<br>
<br>
oops, the ping packets has no response.<br>
<br>
step 3:<br>
Add the new iptables:<br>
iptables -t nat -A POSTROUTING -s <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br></span><span class="">
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1] [3] -d<br></span>
<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2] -j ACCEPT<span class=""><br>
<br>
No response,<br>
After I delete iptables -t nat -D POSTROUTING -m<br>
policy --dir<br>
<br>
out<br>
<br>
--pol ipsec -j ACCEPT. ping still has no response.<br>
<br>
Should I miss some iptables rules? or other aspects<br>
like config<br>
<br>
file,<br>
<br>
the environment or topology? from this issue<br>
<br>
<br>
<a href="http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel" rel="noreferrer" target="_blank">http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel</a><br>
<br>
[3]<br>
<br>
[8]<br>
<br>
It seem xfrm policy is ok. I am so confuse with<br>
subnet2subnet and<br>
don't know how to check it?<br>
<br>
On 21 June 2016 at 21:09, Nick Howitt<br></span><span class="">
<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a> <mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>> wrote:<br>
<br>
Actually you can use your original iptables rule<br>
but just change<br>
<br>
"-j<br>
<br>
SNAT --to site-A-Public-IP" to "-j ACCEPT". I<br>
prefer the policy<br>
approach as you don't need to specify the subnets<br>
but either<br>
<br>
should<br>
<br>
work.<br>
<br>
On 21/06/2016 10:31, xue tao wrote:<br>
<br>
hi<br>
I have check ./net/netfilter/xt_policy.c,<br>
there is no object<br>
file. so I add<br>
CONFIG_NETFILTER_XT_MATCH_POLICY into kernel<br>
config and xt_policy.c will be make.<br>
Now i was compiling the image and examine it<br>
later. Hope this<br>
mod will be load success. I will be in touch<br>
with you. thanks!<br>
<br>
On 21 June 2016 at 16:08, Nick Howitt<br>
<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a> <mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>><br></span><span class="">
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>>> wrote:<br>
<br></span><div><div class="h5">
I'd be very surprised if the target ACCEPT did<br>
not exist but<br>
have<br>
no idea how to check. It should be one of the<br>
iptables<br>
default<br>
targets. Can you check the policy module is<br>
loaded: "lsmod |<br>
grep<br>
policy"? It should return something with<br>
"xt_policy" in it.<br>
If it<br>
does not, please do a "modprobe xt_policy"<br>
then try the<br>
iptables<br>
rule again.<br>
<br>
On 21/06/2016 08:51, xue tao wrote:<br>
<br>
hi nick,<br>
I'm very glad to see your response. I type this<br>
iptables<br>
command into ONT1:<br>
[root@AONT: admin]# iptables -t nat -I<br>
POSTROUTING -m<br>
policy --dir out --pol ipsec -j ACCEPT<br>
iptables: No chain/target/match by that name.<br>
<br>
This maybe lack of several kernel<br>
configuration. so I<br>
turn<br>
on some kernel config about IPSEC/ESP/AH and<br>
so on. but<br>
this<br>
prompt still exist.<br>
The attachment is my kernel configuration about<br>
netfilter.<br>
Please let me know if i was in wrong<br>
road.thanks very<br>
much.<br>
# Core Netfilter Configuration<br>
CONFIG_NF_CT_PROTO_ESP=y<br>
CONFIG_NF_CONNTRACK_IPSEC=y<br>
# Xtables matches<br>
CONFIG_NETFILTER_XT_MATCH_ESP=y<br>
CONFIG_NF_CONNTRACK_IPSEC=y<br>
# IP: Netfilter Configuration<br>
CONFIG_IP_NF_MATCH_AH=y<br>
CONFIG_NF_NAT_IPSEC=y<br>
<br>
In the end to end mode, I deply this commands<br>
and it work<br>
iptables -t nat -A POSTROUTING -o ppp0 -s<br>
<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">192.168.1.0/255.255.255.0</a><br></div></div><span class="">
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a>> [4] [1]<br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4] [1]><br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4] [1]> -j<br>
MASQUERADE<br>
iptables -t nat -D POSTROUTING -o eth4 -s<br>
<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">192.168.1.0/255.255.255.0</a><br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a>> [4] [1]<br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4] [1]><br></span><span class="">
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4] [1]> -j<br>
MASQUERADE<br>
<br>
so I reserve this commands in site to site<br>
mode. and all<br>
my<br>
iptables command is only this two.<br>
I don't know whether impacts our packets.<br>
<br>
another questions is:<br>
From command (ip xfrm policy) i found that dir<br>
in/dir<br>
out/dir<br>
forward were assigned properly, Is this not<br>
enough for<br>
issuing<br>
a ping from PC1 to PC2?<br>
is this command(route add -net <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br></span><span class="">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br></span><span class="">
ppp0) necessary? i think this route make<br>
packet forwarding<br>
on l2tp<br>
tunnel directly instead of vpn tunnel.<br>
<br>
On 20 June 2016 at 23:25, Nick Howitt<br>
<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a> <mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>>>> wrote:<br>
<br>
I would not SNAT traffic unless specifically<br>
required. Try:<br>
<br>
iptables -t nat -I POSTROUTING -m policy --dir out<br>
--pol ipsec<br>
-j ACCEPT<br>
<br>
Nick<br>
<br>
On 20/06/2016 13:48, xue tao wrote:<br>
<br>
Hi,<br>
my network configurationis :<br>
<br>
private subnet <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br></span><span class="">
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1] [3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]> private subnet<br></span>
<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<span class=""><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
PC1 ------ ONT1 <========IPSEC<br>
TUNNEL=========><br>
ONT2 ------- PC2<br></span>
<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<span class=""><br>
[4]>> 135.251.205.188 [6]<br>
<br>
i am setting up a ipsec tunnel on ONT1 and ONT2,<br>
and this<br>
tunnel seems had setup, on ONT1 i can saw:<br>
<br>
[root@AONT: admin]# ipsec --version<br>
Linux Openswan U2.6.38/K3.4.11-rt19 (netkey)<br>
<br>
[root@AONT: admin]# ipsec setup status<br>
IPsec running - pluto pid: 6676<br>
pluto pid 6676<br>
1 tunnels up<br>
some eroutes exist<br>
<br>
[root@AONT: admin]# ip xfrm policy<br></span>
src <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1]<span class=""><br>
[3] <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1]<br>
[3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br></span><span class="">
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]> dst<br></span>
<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2]<span class=""><br>
[2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br></span><span class="">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> proto udp<br>
sport 1701 dport 1701<br>
dir out priority 2344<br></span>
tmpl src <a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>><br>
[5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<span class=""><br>
[4] <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>> dst<br>
135.251.205.188 [6]<br>
proto esp reqid 16385 mode tunnel<br></span>
src <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2]<span class=""><br>
[2] <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2]<br>
[2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br></span><span class="">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> dst<br></span>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1]<span class=""><br>
[3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br></span><span class="">
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]> proto udp<br>
sport 1701 dport 1701<br>
dir fwd priority 2344<br>
tmpl src 135.251.205.188 [6] dst<br>
<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5]<br>
[4]<br></span>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<span class=""><br>
[4] <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>><br>
proto esp reqid 16385 mode tunnel<br></span>
src <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2]<span class=""><br>
[2] <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2]<br>
[2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br></span><span class="">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> dst<br></span>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1]<span class=""><br>
[3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br></span><span class="">
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]> proto udp<br>
sport 1701 dport 1701<br>
<br>
dir in priority 2344<br>
tmpl src 135.251.205.188 [6] dst<br>
<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5]<br>
[4]<br></span>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<div><div class="h5"><br>
[4] <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>><br>
<br>
<br>
proto esp reqid 16385 mode tunnel<br>
src ::/0 dst ::/0<br>
socket out priority 0<br>
<br>
and here is my ipsec.conf<br>
version 2.0 # conforms to second version of<br>
ipsec.conf<br>
specification<br>
config setup<br>
nat_traversal=yes<br>
oe=off<br>
protostack=netkey<br>
plutostderrlog=/tmp/vpnerr.log<br>
plutoopts="--interface=eth4"<br>
conn L2TP-PSK<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=Restart<br>
rekey=yes<br>
ikelifetime=8h<br>
keylife=1h<br>
type=tunnel<br></div></div>
left=<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<span class=""><br>
[4] <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5]<br>
[4]><br></span>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<span class=""><br>
[4] <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>><br>
<br>
leftnexthop=%defaultroute<br>
leftprotoport=17/1701<br>
leftsubnet=<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br></span><span class="">
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1] [3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br></span><span class="">
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
right=135.251.205.188 [6]<br>
rightprotoport=17/1701<br>
rightsubnet=<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br></span><span class="">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br></span><span class="">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<br>
Then I can not access to 192.168.5.x, and i<br>
follow some<br>
documents from internet adding iptables likes:<br>
iptables -t nat -A POSTROUTING -s<br>
site-A-private-subnet -d<br>
site-B-private-subnet -j SNAT --to<br>
site-A-Public-IP<br>
<br>
but it does not works. when i add route from my<br>
workmates:<br>
route add -net <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br></span><span class="">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br></span><div><div class="h5">
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> ppp0<br>
I can ping 192.168.5.x ,but the tcpdump data on<br>
ONT2<br>
was not<br>
ESP, only ICMP packets. So this is not the<br>
correct ways.<br>
<br>
Should I add other iptables or route to allow PC1<br>
ping<br>
PC2?<br>
Any assistance will be greatly appreciated!<br>
<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>>><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>>>><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
[7] [5]<br>
Micropayments:<br>
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
[8]<br>
[6]<br>
Building and Integrating Virtual Private Networks<br>
with<br>
Openswan:<br>
<br>
<br>
<br>
<br>
<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
[9]<br>
<br>
[7]<br>
<br>
<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4]<br>
[2] <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2]<br>
[3] <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1]<br></div></div>
[4] tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<span class=""><br>
[5] <a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a> [7]<br>
[6]<br>
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
[8]<br>
[7]<br>
<br>
<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
[9]<br>
<br>
[8]<br>
<br>
<br>
<a href="http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel" rel="noreferrer" target="_blank">http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel</a><br>
<br>
[3]<br>
<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a><br>
[2] <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a><br>
[3]<br>
<a href="http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel" rel="noreferrer" target="_blank">http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel</a><br>
[4] <a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a><br>
[5] <a href="http://135.251.199.83" rel="noreferrer" target="_blank">http://135.251.199.83</a><br>
[6] <a href="http://135.251.205.188" rel="noreferrer" target="_blank">http://135.251.205.188</a><br>
[7] <a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
[8] <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
[9]<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
<br>
</span></blockquote>
<br>
</blockquote></div><br></div>