<div dir="ltr"><div><div>hi,nick<br></div> Good news is I made it. I used transport mode and not added subnet configuration in ipsec.conf. Maybe I misunderstood this topology. My ONT1 nat packets on interface ppp0 then I should think ONT1 as a pc client. when this transport mode tunnel setup I add a route: route add -net <a href="http://192.168.5.0/24">192.168.5.0/24</a> ppp0. As a result my pc ipaddr was nated to ppp0 ipaddr 192.168.3.128 and the source ip of packets captured ont ONT2's ppp0 interface also was 192.168.3.128. Between ONT1 and ONT2 we only get ESP packets.so that's it. netkey with l2tp/ipsec.<br></div> Compare with your route and xfrm policy I can tell anything different from mine. Maybe I can't follow your topology. And subnet-to-subnet mode is still on my way. I will continue read openswan code and try to solve it. thank you very much again!<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 24 June 2016 at 20:47, Nick Howitt <span dir="ltr"><<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Please can you reply on-list although there may be some mailing problems as I received a bounce today.<br>
<br>
My set up is Libreswan, not Openswan and the remote end is a commercial router with its proprietary solution but Libreswan should give very similar results:<br>
<br>
[root@server ~]# ip ro<br>
10.8.10.2 dev tun1 proto kernel scope link src 10.8.10.1<br>
10.8.0.2 dev tun2 proto kernel scope link src 10.8.0.1<br>
172.17.3.2 dev tun0 proto kernel scope link src 172.17.3.1<br>
<a href="http://10.8.0.0/24" rel="noreferrer" target="_blank">10.8.0.0/24</a> via 10.8.0.2 dev tun2<br>
<a href="http://82.19.158.0/24" rel="noreferrer" target="_blank">82.19.158.0/24</a> dev eth0 proto kernel scope link src 82.19.158.192<br>
<a href="http://192.168.30.0/24" rel="noreferrer" target="_blank">192.168.30.0/24</a> via 82.19.158.1 dev eth0 src 172.17.2.1<br>
<a href="http://10.8.10.0/24" rel="noreferrer" target="_blank">10.8.10.0/24</a> via 10.8.10.2 dev tun1<br>
<a href="http://172.17.2.0/24" rel="noreferrer" target="_blank">172.17.2.0/24</a> dev eth1 proto kernel scope link src 172.17.2.1<br>
<a href="http://172.17.3.0/24" rel="noreferrer" target="_blank">172.17.3.0/24</a> via 172.17.3.2 dev tun0<br>
<a href="http://239.0.0.0/8" rel="noreferrer" target="_blank">239.0.0.0/8</a> dev eth1 scope link<br>
default via 82.19.158.1 dev eth0<br>
<br>
But to a large extent the routing table is not used. My local LAN(s) are <a href="http://172.17.2.0/24" rel="noreferrer" target="_blank">172.17.2.0/24</a> and <a href="http://172.17.3.0/24" rel="noreferrer" target="_blank">172.17.3.0/24</a>. Ignore 10.8.x.y (OpenVPN) and the main OpenVPN subnet <a href="http://172.17.3.0/24" rel="noreferrer" target="_blank">172.17.3.0/24</a>. The remote VON subnet is <a href="http://192.168.30.0/24" rel="noreferrer" target="_blank">192.168.30.0/24</a>.<br>
<br>
Perhaps more important is the xfrm policy and state but I am not sure how to read them:<br>
<br>
[root@server ~]# ip xfrm state<br>
src 82.19.158.192 dst 89.242.219.76<br>
proto esp spi 0xbe89750a reqid 16389 mode tunnel<br>
replay-window 32 flag 20<br>
auth hmac(sha1) 0x600ba5a84c897158ce7c74f69270e36f5ffa9254<br>
enc cbc(aes)<br>
0x2cfd3d7f2c7bd0b3f05d8d463362abcae8ca2fdc30d3a8a0894f8aaa5ffc32b6<br>
src 89.242.219.76 dst 82.19.158.192<br>
proto esp spi 0xbeaa4323 reqid 16389 mode tunnel<br>
replay-window 32 flag 20<br>
auth hmac(sha1) 0xcee1f9cf67e618eb1a83f74dda20bd281ed9b3e0<br>
enc cbc(aes)<br>
0xcb538cc2fec416f68556ea2bc68e8b6fb2a6edbb80b4dc58da9105df9ce587d0<br>
src 82.19.158.192 dst 89.242.219.76<br>
proto esp spi 0xbe897509 reqid 16389 mode tunnel<br>
replay-window 32 flag 20<br>
auth hmac(sha1) 0x0c377b013d79493149f50263b2bc1dbfc0b53063<br>
enc cbc(aes)<br>
0xd6ae0f08a48d904e65fab38d5ea82e9b466d3af093f5d41260d7d5aff3bb36e3<br>
src 89.242.219.76 dst 82.19.158.192<br>
proto esp spi 0xa1e23c36 reqid 16389 mode tunnel<br>
replay-window 32 flag 20<br>
auth hmac(sha1) 0xbb40c1627a4b362075d51cf9df875db92aa391c2<br>
enc cbc(aes)<br>
0x5fe32fb4c2a4293f0d953b51cf23ee3d81f79781678705353aa6364abf8c0887<br>
<br>
and<br>
<br>
[root@server ~]# ip xfrm policy<br>
src <a href="http://172.17.2.0/24" rel="noreferrer" target="_blank">172.17.2.0/24</a> dst <a href="http://192.168.30.0/24" rel="noreferrer" target="_blank">192.168.30.0/24</a><br>
dir out priority 2344 ptype main<br>
tmpl src 82.19.158.192 dst 89.242.219.76<br>
proto esp reqid 16389 mode tunnel<br>
src <a href="http://192.168.30.0/24" rel="noreferrer" target="_blank">192.168.30.0/24</a> dst <a href="http://172.17.2.0/24" rel="noreferrer" target="_blank">172.17.2.0/24</a><br>
dir fwd priority 2344 ptype main<br>
tmpl src 89.242.219.76 dst 82.19.158.192<br>
proto esp reqid 16389 mode tunnel<br>
src <a href="http://192.168.30.0/24" rel="noreferrer" target="_blank">192.168.30.0/24</a> dst <a href="http://172.17.2.0/24" rel="noreferrer" target="_blank">172.17.2.0/24</a><br>
dir in priority 2344 ptype main<br>
tmpl src 89.242.219.76 dst 82.19.158.192<br>
proto esp reqid 16389 mode tunnel<br>
........snipped to the end<br>
<br>
When you do a tcpdump you can specify the interface but it is not a tool I use.<br>
<br>
To check if the tunnel is up, look at /var/log/messages for a pluto message with something like "IPsec SA established".<br>
<br>
Then ping from the console of ONT1 to the LAN IP of ONT2. If that works then ping to the remote subnet and so on. Also check the device you are pinging on the remote subnet is not firewalled from your local subnet. Window's firewall often only allows access from machines on its local subnet only<br>
<br>
On 24/06/2016 11:25, xue tao wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It's none sense of vlan tag. And a interesting thing is that the captured ICMP reply packets has dst ip with PC1(192.168.1.101) but dst mac with ONT1 wan interface mac.<br>
Can you show me your route on equipment like ONT1 and ONT2. Now i was doubt everything, nothing was confirmed :(<br>
<br>
On 24 June 2016 at 15:13, xue tao <<a href="mailto:xuetao325@gmail.com" target="_blank">xuetao325@gmail.com</a> <mailto:<a href="mailto:xuetao325@gmail.com" target="_blank">xuetao325@gmail.com</a>>> wrote:<br>
<br>
hi,<br>
sorry for cut old messages. ONT1 is gateway of 192.168.1.x and<br>
ONT2 of 192.168.5.x. My workmates told me maybe some vlan impact<br>
network and drop the packets. I was checking it.<br>
<br>
pc1(eth0:192.168.1.100) <------------> (eth1:192.168.1.1)<br>
ONT1<br>
(eth0:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>)<br>
<=======VPN TUNNEL========><br>
ONT2 (eth0:135.251.205.188)<br>
(eth1:192.168.5.1) <----------->(eht0:192.168.5.100)pc2<br>
<br>
<br>
On 23 June 2016 at 14:20, xue tao <<a href="mailto:xuetao325@gmail.com" target="_blank">xuetao325@gmail.com</a><br>
<mailto:<a href="mailto:xuetao325@gmail.com" target="_blank">xuetao325@gmail.com</a>>> wrote:<br>
<br>
hi,<br>
This is my environment, when site2site tunnel up we found<br>
ppp0 on each end. ONT2 is vpn server.<br>
pc1(eth0:192.168.1.100) <------------> (eth1:192.168.1.1)<br>
ONT1 (eth0:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>)<br>
(ppp0:192.168.3.128)<br>
<=======VPN TUNNEL========><br>
(ppp0:192.168.3.1)<br>
ONT2 (eth0:135.251.205.188)<br>
(eth1:192.168.5.1) <----------->(eht0:192.168.5.100)pc2<br>
<br>
Here is ONT1 ipsec.conf:<br>
[root@AONT: admin]# cat /etc/ipsec.conf<br>
version 2.0 # conforms to second version of ipsec.conf<br>
specification<br>
config setup<br>
nat_traversal=yes<br>
oe=off<br>
protostack=netkey<br>
plutostderrlog=/tmp/vpnerr.log<br>
plutoopts="--interface=eth0"<br>
conn L2TP-PSK<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=Restart<br>
rekey=yes<br>
ikelifetime=8h<br>
keylife=1h<br>
type=tunnel<br>
left=<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
leftnexthop=%defaultroute<br>
leftprotoport=17/1701<br>
leftsubnet=<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>><br>
right=135.251.205.188<br>
rightprotoport=17/1701<br>
rightsubnet=<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><br>
<br>
And this is ONT2's:<br>
conn L2TP-PSK-NAT<br>
rightsubnet=vhost:%priv<br>
also=L2TP-PSK-noNAT<br>
<br>
conn L2TP-PSK<br>
authby=secret<br>
pfs=no<br>
keyingtries=3<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
rekey=yes<br>
ikelifetime=8h<br>
keylife=8h<br>
type=tunnel<br>
# Replace %any below with your local IP address (private,<br>
behind NAT IP is okay as well)<br>
left=135.251.205.188<br>
leftsubnet=<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><br>
#leftnexthop=%defaultroute<br>
leftid=135.251.205.188<br>
leftprotoport=17/1701<br>
# Replace IP address with your VPN server's IP<br>
right=%any<br>
rightsubnet=<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>><br>
rightid=<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
rightprotoport=17/1701<br>
auto=add<br>
<br>
When the tunnel setup, I check route on ONT1:<br>
[root@AONT: vtadmin]# route -n<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use Iface<br>
0.0.0.0 135.251.196.1 0.0.0.0 UG 0 0 0 eth0<br>
135.251.196.0 0.0.0.0 255.255.252.0 U 0 0 0 eht0<br>
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eht1<br>
192.168.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0<br>
<br>
There is no route to <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>>,<br>
maybe it is the reason I can't ping from pc1 to pc2?<br>
<br>
Another situation is when setup end2end tunnel I capture esp<br>
ping packet from ONT1 to ONT2; and when setup site2site tunnel<br>
I only capture plain text ping packet from ONT1 to ONT2, is<br>
this correct?<br>
<br>
<br>
<br>
On 22 June 2016 at 23:36, Nick Howitt <<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>> wrote:<br>
<br>
Can you the post your updated ipsec.conf?<br>
<br>
On 2016-06-22 16:19, xuetao325 wrote:<br>
<br>
It's none sense of l2tp configuration. I was also<br>
connected<br>
subnet/subnet with netkey/psk. I just wonder which<br>
iptables rules will<br>
needed except ones auto-configed by openswan. In my<br>
opinion last month<br>
it shoud works fine after modifed ipsec.conf :)<br>
<br>
Sent from my Mi phone<br>
On Jun 22, 2016 7:50 PM, Nick Howitt<br>
<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a> <mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>> wrote:<br>
<br>
Sorry, but I was only trying to sort out the basic<br>
firewalling which<br>
was<br>
needed. I know nothing about L2TP configurations, only<br>
subnet/subnet<br>
with netkey/psk, so I can't take you an further.<br>
<br>
Nick<br>
<br>
On 2016-06-22 12:25, xue tao wrote:<br>
<br>
hi nick,<br>
I load xt_policy success and try some iptables<br>
and route below,<br>
<br>
it<br>
<br>
does not works yet.<br>
<br>
step 1:<br>
When vpn tunnel setup, I changed iptables<br>
about "-o " from eth4<br>
<br>
to<br>
<br>
ppp0 on ONT1:<br>
iptables -t nat -A POSTROUTING -o eth4 -s<br>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1]<br>
<br>
[3] -j<br>
<br>
MASQUERADE<br>
---> iptables -t nat -A POSTROUTING -o ppp0 -s<br>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>><br>
<br>
[1] [3]<br>
<br>
-j MASQUERADE<br>
<br>
This step was reserve from end-to-end<br>
transport mode. In<br>
<br>
end-to-end I<br>
<br>
can ping from PC1 to ONT2(vpn server) as this<br>
iptables rule<br>
<br>
changes.<br>
<br>
<br>
step 2:<br>
So I add farside subnet via ppp0 route :<br>
route add -net <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2] ppp0<br>
<br>
Then PC1 can ping PC2 but the packets was<br>
plain text, not ESP<br>
packets.this time I load xt_policy and added<br>
iptables :<br>
iptables -t nat -I POSTROUTING -m policy --dir<br>
out --pol ipsec<br>
<br>
-j<br>
<br>
ACCEPT<br>
<br>
The ping packets I dump from ONT2 still plain.<br>
then I think the<br>
route maybe wrong,so:<br>
route del -net <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<br>
oops, the ping packets has no response.<br>
<br>
step 3:<br>
Add the new iptables:<br>
iptables -t nat -A POSTROUTING -s<br>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1] [3] -d<br>
<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
-j ACCEPT<br>
<br>
No response,<br>
After I delete iptables -t nat -D POSTROUTING<br>
-m policy --dir<br>
<br>
out<br>
<br>
--pol ipsec -j ACCEPT. ping still has no response.<br>
<br>
Should I miss some iptables rules? or other<br>
aspects like config<br>
<br>
file,<br>
<br>
the environment or topology? from this issue<br>
<br>
<br>
<a href="http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel" rel="noreferrer" target="_blank">http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-needed-for-a-ipsec-tunnel</a><br>
<br>
[3]<br>
<br>
[8]<br>
<br>
It seem xfrm policy is ok. I am so confuse<br>
with subnet2subnet and<br>
don't know how to check it?<br>
<br>
On 21 June 2016 at 21:09, Nick Howitt<br>
<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>> wrote:<br>
<br>
Actually you can use your original<br>
iptables rule but just change<br>
<br>
"-j<br>
<br>
SNAT --to site-A-Public-IP" to "-j<br>
ACCEPT". I prefer the policy<br>
approach as you don't need to specify the<br>
subnets but either<br>
<br>
should<br>
<br>
work.<br>
<br>
On 21/06/2016 10:31, xue tao wrote:<br>
<br>
hi<br>
I have check<br>
./net/netfilter/xt_policy.c, there is<br>
no object<br>
file. so I add<br>
CONFIG_NETFILTER_XT_MATCH_POLICY into<br>
kernel<br>
config and xt_policy.c will be make.<br>
Now i was compiling the image and<br>
examine it later. Hope this<br>
mod will be load success. I will be in<br>
touch with you. thanks!<br>
<br>
On 21 June 2016 at 16:08, Nick Howitt<br>
<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>>> wrote:<br>
<br>
I'd be very surprised if the target<br>
ACCEPT did not exist but<br>
have<br>
no idea how to check. It should be one<br>
of the iptables<br>
default<br>
targets. Can you check the policy<br>
module is loaded: "lsmod |<br>
grep<br>
policy"? It should return something<br>
with "xt_policy" in it.<br>
If it<br>
does not, please do a "modprobe<br>
xt_policy" then try the<br>
iptables<br>
rule again.<br>
<br>
On 21/06/2016 08:51, xue tao wrote:<br>
<br>
hi nick,<br>
I'm very glad to see your response. I<br>
type this<br>
iptables<br>
command into ONT1:<br>
[root@AONT: admin]# iptables -t nat -I<br>
POSTROUTING -m<br>
policy --dir out --pol ipsec -j ACCEPT<br>
iptables: No chain/target/match by<br>
that name.<br>
<br>
This maybe lack of several kernel<br>
configuration. so I<br>
turn<br>
on some kernel config about<br>
IPSEC/ESP/AH and so on. but<br>
this<br>
prompt still exist.<br>
The attachment is my kernel<br>
configuration about<br>
netfilter.<br>
Please let me know if i was in wrong<br>
road.thanks very<br>
much.<br>
# Core Netfilter Configuration<br>
CONFIG_NF_CT_PROTO_ESP=y<br>
CONFIG_NF_CONNTRACK_IPSEC=y<br>
# Xtables matches<br>
CONFIG_NETFILTER_XT_MATCH_ESP=y<br>
CONFIG_NF_CONNTRACK_IPSEC=y<br>
# IP: Netfilter Configuration<br>
CONFIG_IP_NF_MATCH_AH=y<br>
CONFIG_NF_NAT_IPSEC=y<br>
<br>
In the end to end mode, I deply this<br>
commands and it work<br>
iptables -t nat -A POSTROUTING -o ppp0 -s<br>
<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">192.168.1.0/255.255.255.0</a><br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a>> [4] [1]<br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4] [1]><br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4]<br>
[1]> -j MASQUERADE<br>
iptables -t nat -D POSTROUTING -o eth4 -s<br>
<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">192.168.1.0/255.255.255.0</a><br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a>> [4] [1]<br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4] [1]><br>
<<a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4]<br>
[1]> -j MASQUERADE<br>
<br>
so I reserve this commands in site to<br>
site mode. and all<br>
my<br>
iptables command is only this two.<br>
I don't know whether impacts our packets.<br>
<br>
another questions is:<br>
From command (ip xfrm policy) i found<br>
that dir in/dir<br>
out/dir<br>
forward were assigned properly, Is<br>
this not enough for<br>
issuing<br>
a ping from PC1 to PC2?<br>
is this command(route add -net<br>
<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><br>
[2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
ppp0) necessary? i think this route<br>
make packet forwarding<br>
on l2tp<br>
tunnel directly instead of vpn tunnel.<br>
<br>
On 20 June 2016 at 23:25, Nick Howitt<br>
<<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a><br>
<mailto:<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>>>>> wrote:<br>
<br>
I would not SNAT traffic unless<br>
specifically<br>
required. Try:<br>
<br>
iptables -t nat -I POSTROUTING -m<br>
policy --dir out<br>
--pol ipsec<br>
-j ACCEPT<br>
<br>
Nick<br>
<br>
On 20/06/2016 13:48, xue tao wrote:<br>
<br>
Hi,<br>
my network configurationis :<br>
<br>
private subnet <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1] [3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
private subnet<br>
<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>><br>
[2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
PC1 ------ ONT1 <========IPSEC<br>
TUNNEL=========><br>
ONT2 ------- PC2<br>
<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]>><br>
135.251.205.188 [6]<br>
<br>
i am setting up a ipsec tunnel on ONT1<br>
and ONT2,<br>
and this<br>
tunnel seems had setup, on ONT1 i can saw:<br>
<br>
[root@AONT: admin]# ipsec --version<br>
Linux Openswan U2.6.38/K3.4.11-rt19<br>
(netkey)<br>
<br>
[root@AONT: admin]# ipsec setup status<br>
IPsec running - pluto pid: 6676<br>
pluto pid 6676<br>
1 tunnels up<br>
some eroutes exist<br>
<br>
[root@AONT: admin]# ip xfrm policy<br>
src <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1] [3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1]<br>
[3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]> dst<br>
<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a> <<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2]<br>
[2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> proto udp<br>
sport 1701 dport 1701<br>
dir out priority 2344<br>
tmpl src <a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>> dst<br>
135.251.205.188 [6]<br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2]<br>
[2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> dst<br>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1]<br>
[3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]> proto udp<br>
sport 1701 dport 1701<br>
dir fwd priority 2344<br>
tmpl src 135.251.205.188 [6] dst<br>
<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5]<br>
[4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>><br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2]<br>
[2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> dst<br>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1]<br>
[3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]> proto udp<br>
sport 1701 dport 1701<br>
<br>
dir in priority 2344<br>
tmpl src 135.251.205.188 [6] dst<br>
<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5]<br>
[4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>><br>
<br>
<br>
proto esp reqid 16385 mode tunnel<br>
src ::/0 dst ::/0<br>
socket out priority 0<br>
<br>
and here is my ipsec.conf<br>
version 2.0 # conforms to second<br>
version of<br>
ipsec.conf<br>
specification<br>
config setup<br>
nat_traversal=yes<br>
oe=off<br>
protostack=netkey<br>
plutostderrlog=/tmp/vpnerr.log<br>
plutoopts="--interface=eth4"<br>
conn L2TP-PSK<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=Restart<br>
rekey=yes<br>
ikelifetime=8h<br>
keylife=1h<br>
type=tunnel<br>
left=<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5]<br>
[4]><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a><br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5] [4]<br>
<tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> [5] [4]>><br>
<br>
leftnexthop=%defaultroute<br>
leftprotoport=17/1701<br>
leftsubnet=<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a>> [1] [3]<br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
<<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1] [3]><br>
right=135.251.205.188 [6]<br>
rightprotoport=17/1701<br>
rightsubnet=<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<br>
Then I can not access to 192.168.5.x,<br>
and i<br>
follow some<br>
documents from internet adding<br>
iptables likes:<br>
iptables -t nat -A POSTROUTING -s<br>
site-A-private-subnet -d<br>
site-B-private-subnet -j SNAT --to<br>
site-A-Public-IP<br>
<br>
but it does not works. when i add<br>
route from my<br>
workmates:<br>
route add -net <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">192.168.5.0/24</a><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a>> [2] [2]<br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]><br>
<<a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2] [2]> ppp0<br>
I can ping 192.168.5.x ,but the<br>
tcpdump data on<br>
ONT2<br>
was not<br>
ESP, only ICMP packets. So this is not the<br>
correct ways.<br>
<br>
Should I add other iptables or route<br>
to allow PC1<br>
ping<br>
PC2?<br>
Any assistance will be greatly<br>
appreciated!<br>
<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>>><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>>>><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
[7] [5]<br>
Micropayments:<br>
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
[8]<br>
[6]<br>
Building and Integrating Virtual<br>
Private Networks<br>
with<br>
Openswan:<br>
<br>
<br>
<br>
<br>
<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
[9]<br>
<br>
[7]<br>
<br>
<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://192.168.1.0/255.255.255.0" rel="noreferrer" target="_blank">http://192.168.1.0/255.255.255.0</a> [4]<br>
[2] <a href="http://192.168.5.0/24" rel="noreferrer" target="_blank">http://192.168.5.0/24</a> [2]<br>
[3] <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">http://192.168.1.0/24</a> [1]<br>
[4] tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a> <tel:<a href="tel:135.251.199.83" value="+13525119983" target="_blank">135.251.199.83</a>> [5]<br>
[5]<br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
[7]<br>
[6]<br>
<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></blockquote>
</blockquote></div><br></div>