[Openswan Users] Ping / route / iptables

[Stefan Leippert]

Hello all !

Client:
LAN-IP 192.168.1.2/24
Using a ADSL-Router IP 1.1
Using Openswan 2.2 Kernel 2.6 (native IPSEC)

Connection via Internet to my IPSEC-Gateway (Redwall Firewall, 2 LAN-cards,
one to LAN, one to ADSL-Modem, IPTables) with Openswan 2.1.4 (Kernel 2.4)
LAN IP of the Gateway: 192.168.0.30/24, is also Gateway (NAT) for the
192.168.0.0/24-LAN. 

Connection works, IPSEC-SA established with NAT-T. 

Problem: The server can Ping to the Client with his LAN-IP, but not
opposite. The Client cannot ping the server with the LAN-IP. The client has
no firewall on his localhost. 

When I look into the route-table on server-localhost, there is the LAN of
the Client with interface ipsec0. This should be OK.
But there is no entry on the Client-side route table. 

I suppose there is an iptables-problem on my side, but i think the missing
entry in route-table is also not OK. Below my config for iptables and the
ipsec.conf-files for client and server. We are using PSKs and
dnydns-adresses.

This connection worked only, when I entered a leftnexthop (Gateway of my
provider) in the server-config. On the Client-config there is no right- or
leftnexthop. Could be also the problem.

Thank you for your help !
Happy New Year 2005 !
Stefan




Server-Config:
version 2

config setup
        #interfaces="ipsec0=eth0" 
        nat_traversal=yes

conn %default
        authby=secret
        keyingtries=0

conn vm
        left=fischlein.dyndns.org
        leftnexthop=213.20.223.153
        right=%any
        rightsubnet=192.168.1.0/24
        auto=add
----------------------------------------------------------------------------
----------------------------------
Client-Config:
version 2

config setup
        #interfaces="ipsec0=eth0" 
        nat_traversal=yes

conn %default
        authby=secret
        keyingtries=0

conn vm
        left=fischlein.dyndns.org
        right=%defaultroute
        rightsubnet=192.168.1.0/24
        auto=start
----------------------------------------------------------------------------
---------------------------------
IPTABLES-Script on server-side
#IPSEC ISAKMP and NAT-T
$IPTABLES -A INPUT -p udp --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 500 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 4500 -j ACCEPT
#IPSEC ESP
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -p 50 -j ACCEPT

#IPSEC-Interface
$IPTABLES -A INPUT -i ipsec0 -p esp -j ACCEPT
$IPTABLES -A OUTPUT -o ipsec0 -p esp -j ACCEPT

$IPTABLES -A INPUT -i ipsec0 -p udp -j ACCEPT
$IPTABLES -A OUTPUT -o ipsec0 -p udp -j ACCEPT
$IPTABLES -A INPUT -i ipsec0 -p tcp -j ACCEPT
$IPTABLES -A OUTPUT -o ipsec0 -p udp -j ACCEPT

$IPTABLES -A INPUT -i ipsec0 -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -o ipsec0 -p icmp -j ACCEPT

# forwarding von ipsec0 auf eth0 und zurück
$IPTABLES -A FORWARD -i $IPSEC -o $LAN_INTERFACE -j ACCEPT
$IPTABLES -A FORWARD -o $IPSEC -i $LAN_INTERFACE -j ACCEPT

#$IPTABLES -A INPUT  -p ICMP -i $IPSEC -j ACCEPT
#$IPTABLES -A OUTPUT -p ICMP -o $IPSEC -j ACCEPT
# allow everything in that came through the tunnel
$IPTABLES -A INPUT -i ipsec0 -j ACCEPT
$IPTABLES -A OUTPUT -o ipsec0 -j ACCEPT